Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
xJZHVgxQul.exe

Overview

General Information

Sample name:xJZHVgxQul.exe
renamed because original name is a hash value
Original sample name:d2200969f527ad8529714c8fdd97ae9646eaa76c702dfcd71dd2ad7e84898cdf.exe
Analysis ID:1588293
MD5:20e0718ded5409c8ad729c85e4eacfb1
SHA1:df1d5d23084b07944abe9b081f61750cc382feb0
SHA256:d2200969f527ad8529714c8fdd97ae9646eaa76c702dfcd71dd2ad7e84898cdf
Tags:AgentTeslaexeuser-adrian__luca
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • xJZHVgxQul.exe (PID: 6508 cmdline: "C:\Users\user\Desktop\xJZHVgxQul.exe" MD5: 20E0718DED5409C8AD729C85E4EACFB1)
    • powershell.exe (PID: 3624 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\xJZHVgxQul.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7488 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 3496 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eWJxJJ.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 2368 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eWJxJJ" /XML "C:\Users\user\AppData\Local\Temp\tmp6409.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 2500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • xJZHVgxQul.exe (PID: 7276 cmdline: "C:\Users\user\Desktop\xJZHVgxQul.exe" MD5: 20E0718DED5409C8AD729C85E4EACFB1)
  • eWJxJJ.exe (PID: 7388 cmdline: C:\Users\user\AppData\Roaming\eWJxJJ.exe MD5: 20E0718DED5409C8AD729C85E4EACFB1)
    • schtasks.exe (PID: 7620 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eWJxJJ" /XML "C:\Users\user\AppData\Local\Temp\tmp75DB.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • eWJxJJ.exe (PID: 7668 cmdline: "C:\Users\user\AppData\Roaming\eWJxJJ.exe" MD5: 20E0718DED5409C8AD729C85E4EACFB1)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "web@iaa-airferight.com", "Password": "webmaster"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.2967236057.0000000002ADC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000D.00000002.2967765524.0000000002E71000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      0000000D.00000002.2967765524.0000000002E71000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000008.00000002.2964047218.0000000000403000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000008.00000002.2964047218.0000000000403000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 15 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.xJZHVgxQul.exe.426b138.5.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.xJZHVgxQul.exe.426b138.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.xJZHVgxQul.exe.426b138.5.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x316ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x31761:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x317eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x3187d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x318e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x31959:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x319ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31a7f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.xJZHVgxQul.exe.42a5b58.6.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.xJZHVgxQul.exe.42a5b58.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 18 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\xJZHVgxQul.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\xJZHVgxQul.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\xJZHVgxQul.exe", ParentImage: C:\Users\user\Desktop\xJZHVgxQul.exe, ParentProcessId: 6508, ParentProcessName: xJZHVgxQul.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\xJZHVgxQul.exe", ProcessId: 3624, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\xJZHVgxQul.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\xJZHVgxQul.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\xJZHVgxQul.exe", ParentImage: C:\Users\user\Desktop\xJZHVgxQul.exe, ParentProcessId: 6508, ParentProcessName: xJZHVgxQul.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\xJZHVgxQul.exe", ProcessId: 3624, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eWJxJJ" /XML "C:\Users\user\AppData\Local\Temp\tmp75DB.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eWJxJJ" /XML "C:\Users\user\AppData\Local\Temp\tmp75DB.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\eWJxJJ.exe, ParentImage: C:\Users\user\AppData\Roaming\eWJxJJ.exe, ParentProcessId: 7388, ParentProcessName: eWJxJJ.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eWJxJJ" /XML "C:\Users\user\AppData\Local\Temp\tmp75DB.tmp", ProcessId: 7620, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 46.175.148.58, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Users\user\Desktop\xJZHVgxQul.exe, Initiated: true, ProcessId: 7276, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49737
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eWJxJJ" /XML "C:\Users\user\AppData\Local\Temp\tmp6409.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eWJxJJ" /XML "C:\Users\user\AppData\Local\Temp\tmp6409.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\xJZHVgxQul.exe", ParentImage: C:\Users\user\Desktop\xJZHVgxQul.exe, ParentProcessId: 6508, ParentProcessName: xJZHVgxQul.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eWJxJJ" /XML "C:\Users\user\AppData\Local\Temp\tmp6409.tmp", ProcessId: 2368, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\xJZHVgxQul.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\xJZHVgxQul.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\xJZHVgxQul.exe", ParentImage: C:\Users\user\Desktop\xJZHVgxQul.exe, ParentProcessId: 6508, ParentProcessName: xJZHVgxQul.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\xJZHVgxQul.exe", ProcessId: 3624, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eWJxJJ" /XML "C:\Users\user\AppData\Local\Temp\tmp6409.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eWJxJJ" /XML "C:\Users\user\AppData\Local\Temp\tmp6409.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\xJZHVgxQul.exe", ParentImage: C:\Users\user\Desktop\xJZHVgxQul.exe, ParentProcessId: 6508, ParentProcessName: xJZHVgxQul.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eWJxJJ" /XML "C:\Users\user\AppData\Local\Temp\tmp6409.tmp", ProcessId: 2368, ProcessName: schtasks.exe

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.xJZHVgxQul.exe.42a5b58.6.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "web@iaa-airferight.com", "Password": "webmaster"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeReversingLabs: Detection: 82%
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeVirustotal: Detection: 59%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: xJZHVgxQul.exeVirustotal: Detection: 59%Perma Link
                    Source: xJZHVgxQul.exeReversingLabs: Detection: 82%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: xJZHVgxQul.exeJoe Sandbox ML: detected
                    Source: xJZHVgxQul.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49735 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49739 version: TLS 1.2
                    Source: xJZHVgxQul.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: QpXjz.pdbSHA256 source: xJZHVgxQul.exe, eWJxJJ.exe.0.dr
                    Source: Binary string: QpXjz.pdb source: xJZHVgxQul.exe, eWJxJJ.exe.0.dr

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 0.2.xJZHVgxQul.exe.438cff0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.xJZHVgxQul.exe.42eb978.3.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.4:57751 -> 162.159.36.2:53
                    Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                    Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                    Source: Joe Sandbox ViewIP Address: 46.175.148.58 46.175.148.58
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.4:49737 -> 46.175.148.58:25
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: mail.iaa-airferight.com
                    Source: global trafficDNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa
                    Source: xJZHVgxQul.exe, 00000008.00000002.2967236057.0000000002ADC000.00000004.00000800.00020000.00000000.sdmp, eWJxJJ.exe, 0000000D.00000002.2967765524.0000000002E9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.iaa-airferight.com
                    Source: xJZHVgxQul.exe, 00000000.00000002.1747427029.0000000003211000.00000004.00000800.00020000.00000000.sdmp, xJZHVgxQul.exe, 00000008.00000002.2967236057.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, eWJxJJ.exe, 00000009.00000002.1793361972.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, eWJxJJ.exe, 0000000D.00000002.2967765524.0000000002E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: xJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: xJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: xJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: xJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: xJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: xJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: xJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: xJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: xJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: xJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: xJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: xJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: xJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: xJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: xJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: xJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: xJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: xJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: xJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: xJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: xJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: xJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: xJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: xJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: xJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: xJZHVgxQul.exe, 00000000.00000002.1751392675.00000000042EB000.00000004.00000800.00020000.00000000.sdmp, xJZHVgxQul.exe, 00000000.00000002.1751392675.0000000004219000.00000004.00000800.00020000.00000000.sdmp, xJZHVgxQul.exe, 00000008.00000002.2964047218.0000000000403000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: xJZHVgxQul.exe, 00000000.00000002.1751392675.00000000042EB000.00000004.00000800.00020000.00000000.sdmp, xJZHVgxQul.exe, 00000000.00000002.1751392675.0000000004219000.00000004.00000800.00020000.00000000.sdmp, xJZHVgxQul.exe, 00000008.00000002.2964047218.0000000000403000.00000040.00000400.00020000.00000000.sdmp, xJZHVgxQul.exe, 00000008.00000002.2967236057.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, eWJxJJ.exe, 0000000D.00000002.2967765524.0000000002E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: xJZHVgxQul.exe, 00000008.00000002.2967236057.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, eWJxJJ.exe, 0000000D.00000002.2967765524.0000000002E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: xJZHVgxQul.exe, 00000008.00000002.2967236057.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, eWJxJJ.exe, 0000000D.00000002.2967765524.0000000002E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49735 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49739 version: TLS 1.2

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.xJZHVgxQul.exe.426b138.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.xJZHVgxQul.exe.42a5b58.6.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.xJZHVgxQul.exe.42a5b58.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 8.2.xJZHVgxQul.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.xJZHVgxQul.exe.426b138.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.xJZHVgxQul.exe.438cff0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.xJZHVgxQul.exe.42eb978.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeCode function: 0_2_016842180_2_01684218
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeCode function: 0_2_01684B000_2_01684B00
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeCode function: 0_2_01686F920_2_01686F92
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeCode function: 0_2_0168D4240_2_0168D424
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeCode function: 0_2_07BBA8800_2_07BBA880
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeCode function: 0_2_07BB26F80_2_07BB26F8
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeCode function: 0_2_07BB4D380_2_07BB4D38
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeCode function: 0_2_07BB43F00_2_07BB43F0
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeCode function: 0_2_07BB43E00_2_07BB43E0
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeCode function: 0_2_07BB22C00_2_07BB22C0
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeCode function: 0_2_07BB49000_2_07BB4900
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeCode function: 8_2_0107A1988_2_0107A198
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeCode function: 8_2_0107E6B08_2_0107E6B0
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeCode function: 8_2_0107A9608_2_0107A960
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeCode function: 8_2_01074A988_2_01074A98
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeCode function: 8_2_01073E808_2_01073E80
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeCode function: 8_2_010741C88_2_010741C8
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeCode function: 8_2_06697D688_2_06697D68
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeCode function: 8_2_066965E08_2_066965E0
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeCode function: 8_2_066955888_2_06695588
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeCode function: 8_2_0669B20F8_2_0669B20F
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeCode function: 8_2_066923588_2_06692358
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeCode function: 8_2_066976888_2_06697688
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeCode function: 8_2_06695CE88_2_06695CE8
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeCode function: 8_2_0669E3888_2_0669E388
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeCode function: 8_2_066900408_2_06690040
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeCode function: 8_2_066902C68_2_066902C6
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeCode function: 8_2_066900068_2_06690006
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeCode function: 9_2_017442189_2_01744218
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeCode function: 9_2_01746F909_2_01746F90
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeCode function: 9_2_0174D4249_2_0174D424
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeCode function: 9_2_072A0FE89_2_072A0FE8
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeCode function: 9_2_072A0FF89_2_072A0FF8
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeCode function: 9_2_073B26F89_2_073B26F8
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeCode function: 9_2_073B4D389_2_073B4D38
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeCode function: 9_2_073B43F09_2_073B43F0
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeCode function: 9_2_073B43E09_2_073B43E0
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeCode function: 9_2_073B9A289_2_073B9A28
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeCode function: 9_2_073B22C09_2_073B22C0
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeCode function: 9_2_073B49009_2_073B4900
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeCode function: 9_2_07786DB89_2_07786DB8
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeCode function: 13_2_0116E6A113_2_0116E6A1
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeCode function: 13_2_0116A96013_2_0116A960
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeCode function: 13_2_01164A9813_2_01164A98
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeCode function: 13_2_01163E8013_2_01163E80
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeCode function: 13_2_011641C813_2_011641C8
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeCode function: 13_2_06B0558813_2_06B05588
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeCode function: 13_2_06B065E013_2_06B065E0
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeCode function: 13_2_06B07D6813_2_06B07D68
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeCode function: 13_2_06B0B20F13_2_06B0B20F
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeCode function: 13_2_06B0304013_2_06B03040
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeCode function: 13_2_06B0768813_2_06B07688
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeCode function: 13_2_06B05CD313_2_06B05CD3
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeCode function: 13_2_06B0E38813_2_06B0E388
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeCode function: 13_2_06B0234913_2_06B02349
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeCode function: 13_2_06B0004013_2_06B00040
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeCode function: 13_2_06B0000613_2_06B00006
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeCode function: 13_2_06B0016013_2_06B00160
                    Source: xJZHVgxQul.exe, 00000000.00000002.1751392675.00000000042EB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs xJZHVgxQul.exe
                    Source: xJZHVgxQul.exe, 00000000.00000002.1751392675.00000000042EB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs xJZHVgxQul.exe
                    Source: xJZHVgxQul.exe, 00000000.00000002.1762398737.0000000005C00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs xJZHVgxQul.exe
                    Source: xJZHVgxQul.exe, 00000000.00000002.1771461190.0000000007FF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameQ, vs xJZHVgxQul.exe
                    Source: xJZHVgxQul.exe, 00000000.00000002.1771461190.0000000007FF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameQpXjz.exe( vs xJZHVgxQul.exe
                    Source: xJZHVgxQul.exe, 00000000.00000002.1766907047.0000000007900000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs xJZHVgxQul.exe
                    Source: xJZHVgxQul.exe, 00000000.00000002.1745850914.00000000013BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs xJZHVgxQul.exe
                    Source: xJZHVgxQul.exe, 00000000.00000002.1751392675.0000000004219000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec5ea4fda-43b2-4fc0-8a8b-07958574f042.exe4 vs xJZHVgxQul.exe
                    Source: xJZHVgxQul.exe, 00000000.00000002.1751392675.0000000004219000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs xJZHVgxQul.exe
                    Source: xJZHVgxQul.exe, 00000000.00000000.1705430579.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameQpXjz.exe( vs xJZHVgxQul.exe
                    Source: xJZHVgxQul.exe, 00000000.00000002.1747427029.0000000003274000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec5ea4fda-43b2-4fc0-8a8b-07958574f042.exe4 vs xJZHVgxQul.exe
                    Source: xJZHVgxQul.exe, 00000008.00000002.2964470056.0000000000AF9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs xJZHVgxQul.exe
                    Source: xJZHVgxQul.exe, 00000008.00000002.2964047218.0000000000403000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec5ea4fda-43b2-4fc0-8a8b-07958574f042.exe4 vs xJZHVgxQul.exe
                    Source: xJZHVgxQul.exeBinary or memory string: OriginalFilenameQpXjz.exe( vs xJZHVgxQul.exe
                    Source: xJZHVgxQul.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.xJZHVgxQul.exe.426b138.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.xJZHVgxQul.exe.42a5b58.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.xJZHVgxQul.exe.42a5b58.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 8.2.xJZHVgxQul.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.xJZHVgxQul.exe.426b138.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.xJZHVgxQul.exe.438cff0.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.xJZHVgxQul.exe.42eb978.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: xJZHVgxQul.exe, 00000000.00000002.1747427029.0000000003274000.00000004.00000800.00020000.00000000.sdmp, eWJxJJ.exe, 00000009.00000002.1793361972.0000000003154000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: .Sln@\^q
                    Source: xJZHVgxQul.exe, 00000000.00000002.1751392675.00000000042EB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Njj.Sln
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@19/15@3/2
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeFile created: C:\Users\user\AppData\Roaming\eWJxJJ.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2500:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:560:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:280:120:WilError_03
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeFile created: C:\Users\user\AppData\Local\Temp\tmp6409.tmpJump to behavior
                    Source: xJZHVgxQul.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: xJZHVgxQul.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: xJZHVgxQul.exeVirustotal: Detection: 59%
                    Source: xJZHVgxQul.exeReversingLabs: Detection: 82%
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeFile read: C:\Users\user\Desktop\xJZHVgxQul.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\xJZHVgxQul.exe "C:\Users\user\Desktop\xJZHVgxQul.exe"
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\xJZHVgxQul.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eWJxJJ.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eWJxJJ" /XML "C:\Users\user\AppData\Local\Temp\tmp6409.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess created: C:\Users\user\Desktop\xJZHVgxQul.exe "C:\Users\user\Desktop\xJZHVgxQul.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\eWJxJJ.exe C:\Users\user\AppData\Roaming\eWJxJJ.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eWJxJJ" /XML "C:\Users\user\AppData\Local\Temp\tmp75DB.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess created: C:\Users\user\AppData\Roaming\eWJxJJ.exe "C:\Users\user\AppData\Roaming\eWJxJJ.exe"
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\xJZHVgxQul.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eWJxJJ.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eWJxJJ" /XML "C:\Users\user\AppData\Local\Temp\tmp6409.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess created: C:\Users\user\Desktop\xJZHVgxQul.exe "C:\Users\user\Desktop\xJZHVgxQul.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eWJxJJ" /XML "C:\Users\user\AppData\Local\Temp\tmp75DB.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess created: C:\Users\user\AppData\Roaming\eWJxJJ.exe "C:\Users\user\AppData\Roaming\eWJxJJ.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: rasapi32.dll
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: rasman.dll
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: rtutils.dll
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: secur32.dll
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: schannel.dll
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: vaultcli.dll
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: xJZHVgxQul.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: xJZHVgxQul.exeStatic file information: File size 1142784 > 1048576
                    Source: xJZHVgxQul.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: xJZHVgxQul.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: QpXjz.pdbSHA256 source: xJZHVgxQul.exe, eWJxJJ.exe.0.dr
                    Source: Binary string: QpXjz.pdb source: xJZHVgxQul.exe, eWJxJJ.exe.0.dr
                    Source: xJZHVgxQul.exeStatic PE information: 0x8AD3D0F3 [Thu Oct 22 14:36:35 2043 UTC]
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeCode function: 0_2_0579B5F3 push eax; ret 0_2_0579B623
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeCode function: 0_2_0579AF18 push eax; mov dword ptr [esp], ecx0_2_0579AF1C
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeCode function: 0_2_05799B77 push 8BFFFFFFh; retf 0_2_05799B7F
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeCode function: 0_2_05799B4D push 8BFFFFFFh; retf 0_2_05799B59
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeCode function: 8_2_01070C55 push edi; retf 8_2_01070C7A
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeCode function: 8_2_0669FFBF push es; ret 8_2_0669FFC0
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeCode function: 9_2_072AF893 push esp; retf 9_2_072AF8B1
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeCode function: 13_2_06B0FFB0 push es; ret 13_2_06B0FFC0
                    Source: xJZHVgxQul.exeStatic PE information: section name: .text entropy: 6.883080208423551
                    Source: eWJxJJ.exe.0.drStatic PE information: section name: .text entropy: 6.883080208423551
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeFile created: C:\Users\user\AppData\Roaming\eWJxJJ.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eWJxJJ" /XML "C:\Users\user\AppData\Local\Temp\tmp6409.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: xJZHVgxQul.exe PID: 6508, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: eWJxJJ.exe PID: 7388, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeMemory allocated: 1680000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeMemory allocated: 3210000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeMemory allocated: 5210000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeMemory allocated: 92D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeMemory allocated: A2D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeMemory allocated: A4D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeMemory allocated: B4D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeMemory allocated: 1030000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeMemory allocated: 2A60000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeMemory allocated: 2840000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeMemory allocated: 1740000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeMemory allocated: 30F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeMemory allocated: 50F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeMemory allocated: 9170000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeMemory allocated: 7B10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeMemory allocated: A170000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeMemory allocated: B170000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeMemory allocated: 1160000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeMemory allocated: 2E20000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeMemory allocated: 4E20000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5636Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4833Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeWindow / User API: threadDelayed 3840Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeWindow / User API: threadDelayed 5993Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeWindow / User API: threadDelayed 2823
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeWindow / User API: threadDelayed 6996
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 6628Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7068Thread sleep count: 5636 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7308Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6940Thread sleep count: 225 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7184Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7332Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7268Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep count: 35 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -32281802128991695s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7544Thread sleep count: 3840 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -99875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -99765s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -99637s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -99516s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -99405s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7544Thread sleep count: 5993 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -99297s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -99188s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -99063s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -98938s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -98828s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -98719s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -98594s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -98485s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -98360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -98235s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -98110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -97985s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -97860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -97735s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -97610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -97485s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -97360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -97219s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -97110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -97000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -96891s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -96766s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -96641s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -96531s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -96422s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -96313s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -96188s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -96063s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -95953s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -95840s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -95735s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -95625s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -95516s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -95391s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -95282s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -95157s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -95032s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -94922s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -94813s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -94688s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -94563s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -94438s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -94313s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exe TID: 7516Thread sleep time: -94203s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7448Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep count: 31 > 30
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -28592453314249787s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -100000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7792Thread sleep count: 2823 > 30
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -99874s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7792Thread sleep count: 6996 > 30
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -99759s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -99657s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -99538s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -99422s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -99313s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep count: 37 > 30
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -99188s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -99078s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -98969s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -98844s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -98735s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -98610s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -98485s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -98360s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -98235s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -98110s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -97985s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -97860s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -97735s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -97610s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -97485s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -97360s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -97235s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -97110s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -96985s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -96860s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -96735s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -96610s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -96485s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -96360s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -96235s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -96110s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -95985s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -95860s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -95735s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -95610s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -95485s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -95360s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -95235s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -95110s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -94985s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -94860s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -94735s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -94610s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -94485s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -94360s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -94235s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -94110s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exe TID: 7788Thread sleep time: -93985s >= -30000s
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 99875Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 99765Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 99637Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 99516Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 99405Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 99297Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 99188Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 99063Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 98938Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 98828Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 98719Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 98594Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 98485Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 98360Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 98235Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 98110Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 97985Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 97860Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 97735Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 97610Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 97485Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 97360Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 97219Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 97110Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 97000Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 96891Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 96766Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 96641Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 96531Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 96422Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 96313Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 96188Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 96063Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 95953Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 95840Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 95735Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 95625Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 95516Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 95391Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 95282Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 95157Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 95032Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 94922Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 94813Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 94688Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 94563Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 94438Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 94313Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeThread delayed: delay time: 94203Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 100000
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 99874
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 99759
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 99657
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 99538
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 99422
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 99313
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 99188
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 99078
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 98969
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 98844
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 98735
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 98610
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 98485
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 98360
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 98235
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 98110
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 97985
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 97860
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 97735
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 97610
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 97485
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 97360
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 97235
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 97110
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 96985
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 96860
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 96735
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 96610
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 96485
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 96360
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 96235
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 96110
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 95985
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 95860
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 95735
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 95610
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 95485
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 95360
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 95235
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 95110
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 94985
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 94860
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 94735
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 94610
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 94485
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 94360
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 94235
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 94110
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeThread delayed: delay time: 93985
                    Source: xJZHVgxQul.exe, 00000008.00000002.2965483939.0000000000C45000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlli
                    Source: eWJxJJ.exe, 0000000D.00000002.2966828531.0000000001246000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\xJZHVgxQul.exe"
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eWJxJJ.exe"
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\xJZHVgxQul.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eWJxJJ.exe"Jump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeMemory written: C:\Users\user\Desktop\xJZHVgxQul.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeMemory written: C:\Users\user\AppData\Roaming\eWJxJJ.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\xJZHVgxQul.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eWJxJJ.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eWJxJJ" /XML "C:\Users\user\AppData\Local\Temp\tmp6409.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeProcess created: C:\Users\user\Desktop\xJZHVgxQul.exe "C:\Users\user\Desktop\xJZHVgxQul.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eWJxJJ" /XML "C:\Users\user\AppData\Local\Temp\tmp75DB.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeProcess created: C:\Users\user\AppData\Roaming\eWJxJJ.exe "C:\Users\user\AppData\Roaming\eWJxJJ.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Users\user\Desktop\xJZHVgxQul.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Users\user\Desktop\xJZHVgxQul.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeQueries volume information: C:\Users\user\AppData\Roaming\eWJxJJ.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeQueries volume information: C:\Users\user\AppData\Roaming\eWJxJJ.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.xJZHVgxQul.exe.426b138.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.xJZHVgxQul.exe.42a5b58.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.xJZHVgxQul.exe.42a5b58.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.xJZHVgxQul.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.xJZHVgxQul.exe.426b138.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.xJZHVgxQul.exe.438cff0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.xJZHVgxQul.exe.42eb978.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.2967236057.0000000002ADC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2967765524.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2964047218.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2967765524.0000000002E9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2967236057.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1751392675.0000000004219000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1751392675.00000000042EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: xJZHVgxQul.exe PID: 6508, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: xJZHVgxQul.exe PID: 7276, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: eWJxJJ.exe PID: 7668, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeFile opened: C:\FTP Navigator\Ftplist.txt
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\xJZHVgxQul.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Users\user\AppData\Roaming\eWJxJJ.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 0.2.xJZHVgxQul.exe.426b138.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.xJZHVgxQul.exe.42a5b58.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.xJZHVgxQul.exe.42a5b58.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.xJZHVgxQul.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.xJZHVgxQul.exe.426b138.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.xJZHVgxQul.exe.438cff0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.xJZHVgxQul.exe.42eb978.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000D.00000002.2967765524.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2964047218.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2967236057.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1751392675.0000000004219000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1751392675.00000000042EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: xJZHVgxQul.exe PID: 6508, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: xJZHVgxQul.exe PID: 7276, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: eWJxJJ.exe PID: 7668, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.xJZHVgxQul.exe.426b138.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.xJZHVgxQul.exe.42a5b58.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.xJZHVgxQul.exe.42a5b58.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.xJZHVgxQul.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.xJZHVgxQul.exe.426b138.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.xJZHVgxQul.exe.438cff0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.xJZHVgxQul.exe.42eb978.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.2967236057.0000000002ADC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2967765524.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2964047218.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2967765524.0000000002E9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2967236057.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1751392675.0000000004219000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1751392675.00000000042EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: xJZHVgxQul.exe PID: 6508, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: xJZHVgxQul.exe PID: 7276, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: eWJxJJ.exe PID: 7668, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		111
                    Process Injection                    		2
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    Scheduled Task/Job                    		1
                    Software Packing                    		Security Account Manager1
                    Query Registry                    		SMB/Windows Admin Shares1
                    Email Collection                    		2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Timestomp                    		NTDS211
                    Security Software Discovery                    		Distributed Component Object ModelInput Capture23
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets1
                    Process Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials141
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                    Virtualization/Sandbox Evasion                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                    Process Injection                    		Proc Filesystem1
                    System Network Configuration Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1588293 Sample: xJZHVgxQul.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 46 mail.iaa-airferight.com 2->46 48 api.ipify.org 2->48 50 206.23.85.13.in-addr.arpa 2->50 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Sigma detected: Scheduled temp file as task from temp location 2->60 62 7 other signatures 2->62 8 xJZHVgxQul.exe 7 2->8         started        12 eWJxJJ.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\Roaming\eWJxJJ.exe, PE32 8->38 dropped 40 C:\Users\user\...\eWJxJJ.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmp6409.tmp, XML 8->42 dropped 44 C:\Users\user\AppData\...\xJZHVgxQul.exe.log, ASCII 8->44 dropped 64 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->64 66 Uses schtasks.exe or at.exe to add and modify task schedules 8->66 68 Adds a directory exclusion to Windows Defender 8->68 14 xJZHVgxQul.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        70 Multi AV Scanner detection for dropped file 12->70 72 Machine Learning detection for dropped file 12->72 74 Injects a PE file into a foreign processes 12->74 24 eWJxJJ.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 52 api.ipify.org 104.26.12.205, 443, 49735, 49739 CLOUDFLARENETUS United States 14->52 54 mail.iaa-airferight.com 46.175.148.58, 25 ASLAGIDKOM-NETUA Ukraine 14->54 76 Loading BitLocker PowerShell Module 18->76 28 conhost.exe 18->28         started        30 WmiPrvSE.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        78 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->78 80 Tries to steal Mail credentials (via file / registry access) 24->80 82 Tries to harvest and steal ftp login credentials 24->82 84 Tries to harvest and steal browser information (history, passwords, etc) 24->84 36 conhost.exe 26->36         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    xJZHVgxQul.exe59%VirustotalBrowse
                    xJZHVgxQul.exe83%ReversingLabsByteCode-MSIL.Trojan.Jalapeno
                    xJZHVgxQul.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\eWJxJJ.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\eWJxJJ.exe83%ReversingLabsByteCode-MSIL.Trojan.Jalapeno
                    C:\Users\user\AppData\Roaming\eWJxJJ.exe59%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.iaa-airferight.com
                    		46.175.148.58
                    		truefalse
                      		high
                      api.ipify.org
                      		104.26.12.205
                      		truefalse
                        		high
                        206.23.85.13.in-addr.arpa
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://api.ipify.org/false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://www.apache.org/licenses/LICENSE-2.0xJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.comxJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.fontbureau.com/designersGxJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.com/designers/?xJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/bThexJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://account.dyn.com/xJZHVgxQul.exe, 00000000.00000002.1751392675.00000000042EB000.00000004.00000800.00020000.00000000.sdmp, xJZHVgxQul.exe, 00000000.00000002.1751392675.0000000004219000.00000004.00000800.00020000.00000000.sdmp, xJZHVgxQul.exe, 00000008.00000002.2964047218.0000000000403000.00000040.00000400.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fontbureau.com/designers?xJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://mail.iaa-airferight.comxJZHVgxQul.exe, 00000008.00000002.2967236057.0000000002ADC000.00000004.00000800.00020000.00000000.sdmp, eWJxJJ.exe, 0000000D.00000002.2967765524.0000000002E9C000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.tiro.comxJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.fontbureau.com/designersxJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.goodfont.co.krxJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://api.ipify.org/txJZHVgxQul.exe, 00000008.00000002.2967236057.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, eWJxJJ.exe, 0000000D.00000002.2967765524.0000000002E21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.carterandcone.comlxJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.sajatypeworks.comxJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.typography.netDxJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.fontbureau.com/designers/cabarga.htmlNxJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.founder.com.cn/cn/cThexJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.galapagosdesign.com/staff/dennis.htmxJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://api.ipify.orgxJZHVgxQul.exe, 00000000.00000002.1751392675.00000000042EB000.00000004.00000800.00020000.00000000.sdmp, xJZHVgxQul.exe, 00000000.00000002.1751392675.0000000004219000.00000004.00000800.00020000.00000000.sdmp, xJZHVgxQul.exe, 00000008.00000002.2964047218.0000000000403000.00000040.00000400.00020000.00000000.sdmp, xJZHVgxQul.exe, 00000008.00000002.2967236057.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, eWJxJJ.exe, 0000000D.00000002.2967765524.0000000002E21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.founder.com.cn/cnxJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.fontbureau.com/designers/frere-user.htmlxJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.jiyu-kobo.co.jp/xJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.galapagosdesign.com/DPleasexJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.fontbureau.com/designers8xJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.fonts.comxJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.sandoll.co.krxJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.urwpp.deDPleasexJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.zhongyicts.com.cnxJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namexJZHVgxQul.exe, 00000000.00000002.1747427029.0000000003211000.00000004.00000800.00020000.00000000.sdmp, xJZHVgxQul.exe, 00000008.00000002.2967236057.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, eWJxJJ.exe, 00000009.00000002.1793361972.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, eWJxJJ.exe, 0000000D.00000002.2967765524.0000000002E21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.sakkal.comxJZHVgxQul.exe, 00000000.00000002.1763287021.00000000073B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high

                                                                                        World Map of Contacted IPs

                                                                                        • No. of IPs < 25%
                                                                                        • 25% < No. of IPs < 50%
                                                                                        • 50% < No. of IPs < 75%
                                                                                        • 75% < No. of IPs

                                                                                        Public IPs

                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                        104.26.12.205
                                                                                        		api.ipify.orgUnited States
                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                        46.175.148.58
                                                                                        		mail.iaa-airferight.comUkraine
                                                                                        		56394ASLAGIDKOM-NETUAfalse

                                                                                        General Information

                                                                                        Joe Sandbox version:42.0.0 Malachite
                                                                                        Analysis ID:1588293
                                                                                        Start date and time:2025-01-10 23:36:46 +01:00
                                                                                        Joe Sandbox product:CloudBasic
                                                                                        Overall analysis duration:0h 7m 26s
                                                                                        Hypervisor based Inspection enabled:false
                                                                                        Report type:full
                                                                                        Cookbook file name:default.jbs
                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                        Number of analysed new started processes analysed:18
                                                                                        Number of new started drivers analysed:0
                                                                                        Number of existing processes analysed:0
                                                                                        Number of existing drivers analysed:0
                                                                                        Number of injected processes analysed:0
                                                                                        Technologies:
                                                                                        • HCA enabled
                                                                                        • EGA enabled
                                                                                        • AMSI enabled
                                                                                        Analysis Mode:default
                                                                                        Analysis stop reason:Timeout
                                                                                        Sample name:xJZHVgxQul.exe
                                                                                        renamed because original name is a hash value
                                                                                        Original Sample Name:d2200969f527ad8529714c8fdd97ae9646eaa76c702dfcd71dd2ad7e84898cdf.exe
                                                                                        Detection:MAL
                                                                                        Classification:mal100.troj.spyw.evad.winEXE@19/15@3/2
                                                                                        EGA Information:
                                                                                        • Successful, ratio: 100%
                                                                                        HCA Information:
                                                                                        • Successful, ratio: 98%
                                                                                        • Number of executed functions: 207
                                                                                        • Number of non-executed functions: 21
                                                                                        Cookbook Comments:
                                                                                        • Found application associated with file extension: .exe

                                                                                        Warnings

                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                        • Excluded IPs from analysis (whitelisted): 184.28.90.27, 4.245.163.56, 13.85.23.206, 20.109.210.53, 13.107.246.45
                                                                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                        Simulations

                                                                                        Behavior and APIs

                                                                                        TimeTypeDescription
                                                                                        17:37:42API Interceptor179x Sleep call for process: xJZHVgxQul.exe modified
                                                                                        17:37:44API Interceptor39x Sleep call for process: powershell.exe modified
                                                                                        17:37:47API Interceptor172x Sleep call for process: eWJxJJ.exe modified
                                                                                        22:37:31Task SchedulerRun new task: {60D1C0C7-5BE1-483F-9605-F930E9FD610A} path:
                                                                                        22:37:45Task SchedulerRun new task: eWJxJJ path: C:\Users\user\AppData\Roaming\eWJxJJ.exe

                                                                                        Joe Sandbox View / Context

                                                                                        IPs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        104.26.12.205Yoranis Setup.exeGet hashmaliciousUnknownBrowse
                                                                                        • api.ipify.org/
                                                                                        RtU8kXPnKr.exeGet hashmaliciousQuasarBrowse
                                                                                        • api.ipify.org/
                                                                                        jgbC220X2U.exeGet hashmaliciousUnknownBrowse
                                                                                        • api.ipify.org/?format=text
                                                                                        xKvkNk9SXR.exeGet hashmaliciousTrojanRansomBrowse
                                                                                        • api.ipify.org/
                                                                                        GD8c7ARn8q.exeGet hashmaliciousTrojanRansomBrowse
                                                                                        • api.ipify.org/
                                                                                        8AbMCL2dxM.exeGet hashmaliciousRCRU64, TrojanRansomBrowse
                                                                                        • api.ipify.org/
                                                                                        Simple2.exeGet hashmaliciousUnknownBrowse
                                                                                        • api.ipify.org/
                                                                                        Ransomware Mallox.exeGet hashmaliciousTargeted RansomwareBrowse
                                                                                        • api.ipify.org/
                                                                                        Yc9hcFC1ux.exeGet hashmaliciousUnknownBrowse
                                                                                        • api.ipify.org/
                                                                                        6706e721f2c06.exeGet hashmaliciousRemcosBrowse
                                                                                        • api.ipify.org/
                                                                                        46.175.148.58jG8N6WDJOx.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          HGhGAjCVw5.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            0PPJsQE4wD.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              kzy8qg5lbR.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                OP53532 Harumi new order.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                  INV01542 , INV01562-7500003124 JTR-0084.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    Shipment Dec Orders valves 2024.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                      proforma invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                        Overdue_payment.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          PO for fabric forecast.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse

                                                                                                            Domains

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            mail.iaa-airferight.comjG8N6WDJOx.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 46.175.148.58
                                                                                                            HGhGAjCVw5.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 46.175.148.58
                                                                                                            0PPJsQE4wD.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 46.175.148.58
                                                                                                            kzy8qg5lbR.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 46.175.148.58
                                                                                                            OP53532 Harumi new order.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 46.175.148.58
                                                                                                            INV01542 , INV01562-7500003124 JTR-0084.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 46.175.148.58
                                                                                                            Shipment Dec Orders valves 2024.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 46.175.148.58
                                                                                                            proforma invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 46.175.148.58
                                                                                                            Overdue_payment.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 46.175.148.58
                                                                                                            PO for fabric forecast.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                            • 46.175.148.58
                                                                                                            api.ipify.orgjG8N6WDJOx.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 104.26.13.205
                                                                                                            HGhGAjCVw5.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 104.26.13.205
                                                                                                            https://glfbanks.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                            • 104.26.12.205
                                                                                                            s2Jg1MAahY.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 104.26.12.205
                                                                                                            Y8Q1voljvb.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 104.26.12.205
                                                                                                            IUqsn1SBGy.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 104.26.13.205
                                                                                                            DpTbBYeE7J.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                            • 104.26.12.205
                                                                                                            RJKUWSGxej.exeGet hashmaliciousAgentTesla, RedLineBrowse
                                                                                                            • 104.26.13.205
                                                                                                            7DpzcPcsTS.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 172.67.74.152
                                                                                                            B8FnDUj8hy.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 104.26.13.205

                                                                                                            ASNs

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            CLOUDFLARENETUSDdj3E3qerh.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                            • 104.21.96.1
                                                                                                            Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                            • 104.21.80.1
                                                                                                            Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.162.153
                                                                                                            Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.223.109
                                                                                                            6cicUo3f8g.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 104.21.32.1
                                                                                                            PK5pHX4Gu5.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                            • 104.21.64.1
                                                                                                            Full-Ver_Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                            • 104.21.11.60
                                                                                                            7b4Iaf58Rp.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                            • 104.21.80.1
                                                                                                            C5JLkBS1CX.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 104.21.80.1
                                                                                                            rXKfKM0T49.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                            • 104.21.96.1
                                                                                                            ASLAGIDKOM-NETUAjG8N6WDJOx.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 46.175.148.58
                                                                                                            HGhGAjCVw5.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 46.175.148.58
                                                                                                            0PPJsQE4wD.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 46.175.148.58
                                                                                                            kzy8qg5lbR.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 46.175.148.58
                                                                                                            OP53532 Harumi new order.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 46.175.148.58
                                                                                                            INV01542 , INV01562-7500003124 JTR-0084.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 46.175.148.58
                                                                                                            Shipment Dec Orders valves 2024.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 46.175.148.58
                                                                                                            proforma invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 46.175.148.58
                                                                                                            Overdue_payment.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 46.175.148.58
                                                                                                            PO for fabric forecast.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                            • 46.175.148.58

                                                                                                            JA3 Fingerprints

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            3b5074b1b5d032e5620f69f9f700ff0e6cicUo3f8g.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 104.26.12.205
                                                                                                            C5JLkBS1CX.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 104.26.12.205
                                                                                                            rXKfKM0T49.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                            • 104.26.12.205
                                                                                                            4Vx2rUlb0f.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                            • 104.26.12.205
                                                                                                            Yef4EqsQha.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 104.26.12.205
                                                                                                            3j7f6Bv4FT.exeGet hashmaliciousUnknownBrowse
                                                                                                            • 104.26.12.205
                                                                                                            3j7f6Bv4FT.exeGet hashmaliciousUnknownBrowse
                                                                                                            • 104.26.12.205
                                                                                                            b5BQbAhwVD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                            • 104.26.12.205
                                                                                                            9Yn5tjyOgT.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                            • 104.26.12.205
                                                                                                            iRmpdWgpoF.exeGet hashmaliciousUnknownBrowse
                                                                                                            • 104.26.12.205

                                                                                                            Dropped Files

                                                                                                            No context

                                                                                                            Created / dropped Files

                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\eWJxJJ.exe.log

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Roaming\eWJxJJ.exe
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1216
                                                                                                            Entropy (8bit):5.34331486778365
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                            Malicious:false
                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xJZHVgxQul.exe.log

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\xJZHVgxQul.exe
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1216
                                                                                                            Entropy (8bit):5.34331486778365
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                            Malicious:true
                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):2232
                                                                                                            Entropy (8bit):5.379071839957789
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:bWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMugeC/ZPUyus:bLHxvIIwLgZ2KRHWLOug8s
                                                                                                            MD5:4135B00B11C8089FA64CF40DE44EDC1C
                                                                                                            SHA1:3490E9A1BCB4FDEC9332379CD669FB69BB74A601
                                                                                                            SHA-256:A5E4501942BD47C58D7C3934AB6443BC684A3AD54A5709CB62EC2B45504BDC63
                                                                                                            SHA-512:DCB00F8E5764F5710DEEEAC6A810585B07570ECB2753FE83E8604E422FCC7C6B26C52518F385A3483480BCD93B1DC8016C103AC82E7AB823C6C49AB23D079871
                                                                                                            Malicious:false
                                                                                                            Preview:@...e.................................&..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4dzfumwj.pdt.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5b5pjbqw.a1l.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_art2xoni.zw5.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_heipoja3.qt3.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_muwgycz1.ee5.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q3zi4onu.qyv.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rkkruh2v.cld.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tooqpcsf.3rn.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\tmp6409.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\xJZHVgxQul.exe
                                                                                                            File Type:XML 1.0 document, ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1572
                                                                                                            Entropy (8bit):5.108512529143448
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNta5xLxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTC1v
                                                                                                            MD5:B730169D0C908FA40AAF54E853917192
                                                                                                            SHA1:A0E241BF4CB8987E99A0D0D4F0497AE3DB4A1408
                                                                                                            SHA-256:6BCA510CC835DC7577E150CEED8AC8CE6E8F1707F4DD2859B453FE9EF31E4B22
                                                                                                            SHA-512:86BDE250FBF71EC87A62589E0773B4B45242016DA2E84A5358F111A35E28612350756E267D9397F68EDDC22CB835C02FDAAEF6AB093C61E93893DC72FE5368BA
                                                                                                            Malicious:true
                                                                                                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                                                            C:\Users\user\AppData\Local\Temp\tmp75DB.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Roaming\eWJxJJ.exe
                                                                                                            File Type:XML 1.0 document, ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1572
                                                                                                            Entropy (8bit):5.108512529143448
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNta5xLxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTC1v
                                                                                                            MD5:B730169D0C908FA40AAF54E853917192
                                                                                                            SHA1:A0E241BF4CB8987E99A0D0D4F0497AE3DB4A1408
                                                                                                            SHA-256:6BCA510CC835DC7577E150CEED8AC8CE6E8F1707F4DD2859B453FE9EF31E4B22
                                                                                                            SHA-512:86BDE250FBF71EC87A62589E0773B4B45242016DA2E84A5358F111A35E28612350756E267D9397F68EDDC22CB835C02FDAAEF6AB093C61E93893DC72FE5368BA
                                                                                                            Malicious:false
                                                                                                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                                                            C:\Users\user\AppData\Roaming\eWJxJJ.exe

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\xJZHVgxQul.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1142784
                                                                                                            Entropy (8bit):6.847929298614678
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12288:hFF8EA/neBWMV96UTMMUsoSKTY6hbozirMB5gsKY2nN4jrIF:T6HeYMP6EoY6h8zi4B56XnNssF
                                                                                                            MD5:20E0718DED5409C8AD729C85E4EACFB1
                                                                                                            SHA1:DF1D5D23084B07944ABE9B081F61750CC382FEB0
                                                                                                            SHA-256:D2200969F527AD8529714C8FDD97AE9646EAA76C702DFCD71DD2AD7E84898CDF
                                                                                                            SHA-512:696FDBD50CF4F889B8B786838395A7D5C993152F2D320F73473A69A0B22AC7425F46B5DAFE31191EA991BC3105A4EA7060F70418521EE543716DC044567F1B03
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                            • Antivirus: ReversingLabs, Detection: 83%
                                                                                                            • Antivirus: Virustotal, Detection: 59%, Browse
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....................0.............f.... ........@.. ....................................@.....................................O.......................................p............................................ ............... ..H............text...l.... ...................... ..`.rsrc...............................@..@.reloc...............n..............@..B................E.......H............R......J.......0............................................0............}......}.....(.......(......{...........%.r...p(....s.....%.r...p(....s.....%.r%..p(....s.......o.......(...+....-....o....&*..0...........s2.....o.....*..0...........sA.....o.....*..0...........s/.....o.....*..0...........s8.....o.....*..0...........s;.....o.....*..0...........s>.....o.....*..0...........s5.....o.....*..0...........sD.....o.....*..0...........sG.....o.....*..0...........s .

                                                                                                            C:\Users\user\AppData\Roaming\eWJxJJ.exe:Zone.Identifier

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\xJZHVgxQul.exe
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):26
                                                                                                            Entropy (8bit):3.95006375643621
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:ggPYV:rPYV
                                                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                            Malicious:true
                                                                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                                                                            Static File Info

                                                                                                            General

                                                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Entropy (8bit):6.847929298614678
                                                                                                            TrID:
                                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                            • DOS Executable Generic (2002/1) 0.01%
                                                                                                            File name:xJZHVgxQul.exe
                                                                                                            File size:1'142'784 bytes
                                                                                                            MD5:20e0718ded5409c8ad729c85e4eacfb1
                                                                                                            SHA1:df1d5d23084b07944abe9b081f61750cc382feb0
                                                                                                            SHA256:d2200969f527ad8529714c8fdd97ae9646eaa76c702dfcd71dd2ad7e84898cdf
                                                                                                            SHA512:696fdbd50cf4f889b8b786838395a7d5c993152f2d320f73473a69a0b22ac7425f46b5dafe31191ea991bc3105a4ea7060f70418521ee543716dc044567f1b03
                                                                                                            SSDEEP:12288:hFF8EA/neBWMV96UTMMUsoSKTY6hbozirMB5gsKY2nN4jrIF:T6HeYMP6EoY6h8zi4B56XnNssF
                                                                                                            TLSH:C0356E3F087D12F7C575C37C8AE44897A1B09C5F7184B86546E65B79A33AA063C8F22E
                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............f.... ........@.. ....................................@................................

                                                                                                            File Icon

                                                                                                            Icon Hash:2946e68e96b3ca4d

                                                                                                            Static PE Info

                                                                                                            General

                                                                                                            Entrypoint:0x4ed366
                                                                                                            Entrypoint Section:.text
                                                                                                            Digitally signed:false
                                                                                                            Imagebase:0x400000
                                                                                                            Subsystem:windows gui
                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                            Time Stamp:0x8AD3D0F3 [Thu Oct 22 14:36:35 2043 UTC]
                                                                                                            TLS Callbacks:
                                                                                                            CLR (.Net) Version:
                                                                                                            OS Version Major:4
                                                                                                            OS Version Minor:0
                                                                                                            File Version Major:4
                                                                                                            File Version Minor:0
                                                                                                            Subsystem Version Major:4
                                                                                                            Subsystem Version Minor:0
                                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                            Entrypoint Preview

                                                                                                            Instruction
                                                                                                            jmp dword ptr [00402000h]
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al

                                                                                                            Data Directories

                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xed3110x4f.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xee0000x2b71c.rsrc
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x11a0000xc.reloc
                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0xebac00x70.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                            Sections

                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                            .text0x20000xeb36c0xeb4002cb1292a03fe332d0e7bb4d5b897a0d2False0.6826566236052072data6.883080208423551IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                            .rsrc0xee0000x2b71c0x2b800d83e3658a8fad638e120620707e59b5aFalse0.20960174209770116data5.132620536995076IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                            .reloc0x11a0000xc0x2007cda671670b38f967356daa663f2d0c6False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                            Resources

                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                            RT_ICON0xee2b00x3751PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9929383518113127
                                                                                                            RT_ICON0xf1a040x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.0891251626641429
                                                                                                            RT_ICON0x10222c0x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 380160.13335610678999368
                                                                                                            RT_ICON0x10b6d40x5488Device independent bitmap graphic, 72 x 144 x 32, image size 216000.16816081330868762
                                                                                                            RT_ICON0x110b5c0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.15594000944733113
                                                                                                            RT_ICON0x114d840x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.23392116182572614
                                                                                                            RT_ICON0x11732c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.274624765478424
                                                                                                            RT_ICON0x1183d40x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.41885245901639345
                                                                                                            RT_ICON0x118d5c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.5
                                                                                                            RT_GROUP_ICON0x1191c40x84data0.7045454545454546
                                                                                                            RT_VERSION0x1192480x2e8data0.43548387096774194
                                                                                                            RT_MANIFEST0x1195300x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                            Imports

                                                                                                            DLLImport
                                                                                                            mscoree.dll_CorExeMain

                                                                                                            Network Behavior

                                                                                                            Network Port Distribution

                                                                                                            TCP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Jan 10, 2025 23:37:46.349734068 CET49735443192.168.2.4104.26.12.205
                                                                                                            Jan 10, 2025 23:37:46.349787951 CET44349735104.26.12.205192.168.2.4
                                                                                                            Jan 10, 2025 23:37:46.349848986 CET49735443192.168.2.4104.26.12.205
                                                                                                            Jan 10, 2025 23:37:46.357563019 CET49735443192.168.2.4104.26.12.205
                                                                                                            Jan 10, 2025 23:37:46.357583046 CET44349735104.26.12.205192.168.2.4
                                                                                                            Jan 10, 2025 23:37:46.838764906 CET44349735104.26.12.205192.168.2.4
                                                                                                            Jan 10, 2025 23:37:46.839025021 CET49735443192.168.2.4104.26.12.205
                                                                                                            Jan 10, 2025 23:37:46.869170904 CET49735443192.168.2.4104.26.12.205
                                                                                                            Jan 10, 2025 23:37:46.869223118 CET44349735104.26.12.205192.168.2.4
                                                                                                            Jan 10, 2025 23:37:46.869528055 CET44349735104.26.12.205192.168.2.4
                                                                                                            Jan 10, 2025 23:37:47.020291090 CET49735443192.168.2.4104.26.12.205
                                                                                                            Jan 10, 2025 23:37:47.029561996 CET49735443192.168.2.4104.26.12.205
                                                                                                            Jan 10, 2025 23:37:47.075341940 CET44349735104.26.12.205192.168.2.4
                                                                                                            Jan 10, 2025 23:37:47.149080992 CET44349735104.26.12.205192.168.2.4
                                                                                                            Jan 10, 2025 23:37:47.149152040 CET44349735104.26.12.205192.168.2.4
                                                                                                            Jan 10, 2025 23:37:47.149372101 CET49735443192.168.2.4104.26.12.205
                                                                                                            Jan 10, 2025 23:37:47.298537970 CET49735443192.168.2.4104.26.12.205
                                                                                                            Jan 10, 2025 23:37:48.171881914 CET4973725192.168.2.446.175.148.58
                                                                                                            Jan 10, 2025 23:37:49.333789110 CET4973725192.168.2.446.175.148.58
                                                                                                            Jan 10, 2025 23:37:50.246138096 CET49739443192.168.2.4104.26.12.205
                                                                                                            Jan 10, 2025 23:37:50.246187925 CET44349739104.26.12.205192.168.2.4
                                                                                                            Jan 10, 2025 23:37:50.246572971 CET49739443192.168.2.4104.26.12.205
                                                                                                            Jan 10, 2025 23:37:50.251260042 CET49739443192.168.2.4104.26.12.205
                                                                                                            Jan 10, 2025 23:37:50.251281023 CET44349739104.26.12.205192.168.2.4
                                                                                                            Jan 10, 2025 23:37:50.705204010 CET44349739104.26.12.205192.168.2.4
                                                                                                            Jan 10, 2025 23:37:50.705291033 CET49739443192.168.2.4104.26.12.205
                                                                                                            Jan 10, 2025 23:37:50.707308054 CET49739443192.168.2.4104.26.12.205
                                                                                                            Jan 10, 2025 23:37:50.707340002 CET44349739104.26.12.205192.168.2.4
                                                                                                            Jan 10, 2025 23:37:50.707581997 CET44349739104.26.12.205192.168.2.4
                                                                                                            Jan 10, 2025 23:37:50.765877008 CET49739443192.168.2.4104.26.12.205
                                                                                                            Jan 10, 2025 23:37:50.811342001 CET44349739104.26.12.205192.168.2.4
                                                                                                            Jan 10, 2025 23:37:50.876140118 CET44349739104.26.12.205192.168.2.4
                                                                                                            Jan 10, 2025 23:37:50.876208067 CET44349739104.26.12.205192.168.2.4
                                                                                                            Jan 10, 2025 23:37:50.876378059 CET49739443192.168.2.4104.26.12.205
                                                                                                            Jan 10, 2025 23:37:50.883296013 CET49739443192.168.2.4104.26.12.205
                                                                                                            Jan 10, 2025 23:37:51.456037045 CET4974025192.168.2.446.175.148.58
                                                                                                            Jan 10, 2025 23:37:51.520288944 CET4973725192.168.2.446.175.148.58
                                                                                                            Jan 10, 2025 23:37:52.457762957 CET4974025192.168.2.446.175.148.58
                                                                                                            Jan 10, 2025 23:37:54.457781076 CET4974025192.168.2.446.175.148.58
                                                                                                            Jan 10, 2025 23:37:55.520246983 CET4973725192.168.2.446.175.148.58
                                                                                                            Jan 10, 2025 23:37:58.462065935 CET4974025192.168.2.446.175.148.58
                                                                                                            Jan 10, 2025 23:38:03.535907030 CET4973725192.168.2.446.175.148.58
                                                                                                            Jan 10, 2025 23:38:06.473560095 CET4974025192.168.2.446.175.148.58
                                                                                                            Jan 10, 2025 23:38:12.590604067 CET5775153192.168.2.4162.159.36.2
                                                                                                            Jan 10, 2025 23:38:12.595463037 CET5357751162.159.36.2192.168.2.4
                                                                                                            Jan 10, 2025 23:38:12.595587015 CET5775153192.168.2.4162.159.36.2
                                                                                                            Jan 10, 2025 23:38:12.600471020 CET5357751162.159.36.2192.168.2.4
                                                                                                            Jan 10, 2025 23:38:13.098419905 CET5775153192.168.2.4162.159.36.2
                                                                                                            Jan 10, 2025 23:38:13.116213083 CET5775153192.168.2.4162.159.36.2
                                                                                                            Jan 10, 2025 23:38:13.121381998 CET5357751162.159.36.2192.168.2.4
                                                                                                            Jan 10, 2025 23:38:13.121452093 CET5775153192.168.2.4162.159.36.2

                                                                                                            UDP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Jan 10, 2025 23:37:46.329875946 CET6482553192.168.2.41.1.1.1
                                                                                                            Jan 10, 2025 23:37:46.336693048 CET53648251.1.1.1192.168.2.4
                                                                                                            Jan 10, 2025 23:37:48.134521961 CET6146453192.168.2.41.1.1.1
                                                                                                            Jan 10, 2025 23:37:48.171096087 CET53614641.1.1.1192.168.2.4
                                                                                                            Jan 10, 2025 23:38:12.589958906 CET5359980162.159.36.2192.168.2.4
                                                                                                            Jan 10, 2025 23:38:13.149076939 CET6320353192.168.2.41.1.1.1
                                                                                                            Jan 10, 2025 23:38:13.156845093 CET53632031.1.1.1192.168.2.4

                                                                                                            DNS Queries

                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                            Jan 10, 2025 23:37:46.329875946 CET192.168.2.41.1.1.10xf4d0Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                            Jan 10, 2025 23:37:48.134521961 CET192.168.2.41.1.1.10x42f7Standard query (0)mail.iaa-airferight.comA (IP address)IN (0x0001)false
                                                                                                            Jan 10, 2025 23:38:13.149076939 CET192.168.2.41.1.1.10x8225Standard query (0)206.23.85.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                                                                                            DNS Answers

                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                            Jan 10, 2025 23:37:46.336693048 CET1.1.1.1192.168.2.40xf4d0No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                                                            Jan 10, 2025 23:37:46.336693048 CET1.1.1.1192.168.2.40xf4d0No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                                                            Jan 10, 2025 23:37:46.336693048 CET1.1.1.1192.168.2.40xf4d0No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                                                            Jan 10, 2025 23:37:48.171096087 CET1.1.1.1192.168.2.40x42f7No error (0)mail.iaa-airferight.com46.175.148.58A (IP address)IN (0x0001)false
                                                                                                            Jan 10, 2025 23:38:13.156845093 CET1.1.1.1192.168.2.40x8225Name error (3)206.23.85.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                                                                                            HTTP Request Dependency Graph

                                                                                                            • api.ipify.org

                                                                                                            HTTPS Proxied Packets

                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            0192.168.2.449735104.26.12.2054437276C:\Users\user\Desktop\xJZHVgxQul.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2025-01-10 22:37:47 UTC155OUTGET / HTTP/1.1
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                                            Host: api.ipify.org
                                                                                                            Connection: Keep-Alive
                                                                                                            2025-01-10 22:37:47 UTC424INHTTP/1.1 200 OK
                                                                                                            Date: Fri, 10 Jan 2025 22:37:47 GMT
                                                                                                            Content-Type: text/plain
                                                                                                            Content-Length: 12
                                                                                                            Connection: close
                                                                                                            Vary: Origin
                                                                                                            CF-Cache-Status: DYNAMIC
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 900027515e50185d-EWR
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1499&min_rtt=1489&rtt_var=579&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2821&recv_bytes=769&delivery_rate=1858688&cwnd=238&unsent_bytes=0&cid=eec9cd7447116ba2&ts=322&x=0"
                                                                                                            2025-01-10 22:37:47 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39
                                                                                                            Data Ascii: 8.46.123.189


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            1192.168.2.449739104.26.12.2054437668C:\Users\user\AppData\Roaming\eWJxJJ.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2025-01-10 22:37:50 UTC155OUTGET / HTTP/1.1
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                                            Host: api.ipify.org
                                                                                                            Connection: Keep-Alive
                                                                                                            2025-01-10 22:37:50 UTC424INHTTP/1.1 200 OK
                                                                                                            Date: Fri, 10 Jan 2025 22:37:50 GMT
                                                                                                            Content-Type: text/plain
                                                                                                            Content-Length: 12
                                                                                                            Connection: close
                                                                                                            Vary: Origin
                                                                                                            CF-Cache-Status: DYNAMIC
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 900027689baf8c48-EWR
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=2008&min_rtt=2000&rtt_var=756&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2819&recv_bytes=769&delivery_rate=1460000&cwnd=215&unsent_bytes=0&cid=310b905b324aad65&ts=174&x=0"
                                                                                                            2025-01-10 22:37:50 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39
                                                                                                            Data Ascii: 8.46.123.189


                                                                                                            Statistics

                                                                                                            CPU Usage

                                                                                                            Click to jump to process

                                                                                                            Memory Usage

                                                                                                            Click to jump to process

                                                                                                            High Level Behavior Distribution

                                                                                                            Click to dive into process behavior distribution

                                                                                                            Behavior

                                                                                                            Click to jump to process

                                                                                                            System Behavior

                                                                                                            General

                                                                                                            Target ID:0
                                                                                                            Start time:17:37:40
                                                                                                            Start date:10/01/2025
                                                                                                            Path:C:\Users\user\Desktop\xJZHVgxQul.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\user\Desktop\xJZHVgxQul.exe"
                                                                                                            Imagebase:0xca0000
                                                                                                            File size:1'142'784 bytes
                                                                                                            MD5 hash:20E0718DED5409C8AD729C85E4EACFB1
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1751392675.0000000004219000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1751392675.0000000004219000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1751392675.00000000042EB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1751392675.00000000042EB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            Reputation:low
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:2
                                                                                                            Start time:17:37:43
                                                                                                            Start date:10/01/2025
                                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\xJZHVgxQul.exe"
                                                                                                            Imagebase:0x120000
                                                                                                            File size:433'152 bytes
                                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:3
                                                                                                            Start time:17:37:43
                                                                                                            Start date:10/01/2025
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:4
                                                                                                            Start time:17:37:43
                                                                                                            Start date:10/01/2025
                                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eWJxJJ.exe"
                                                                                                            Imagebase:0x120000
                                                                                                            File size:433'152 bytes
                                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:5
                                                                                                            Start time:17:37:43
                                                                                                            Start date:10/01/2025
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:6
                                                                                                            Start time:17:37:43
                                                                                                            Start date:10/01/2025
                                                                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eWJxJJ" /XML "C:\Users\user\AppData\Local\Temp\tmp6409.tmp"
                                                                                                            Imagebase:0x240000
                                                                                                            File size:187'904 bytes
                                                                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:7
                                                                                                            Start time:17:37:43
                                                                                                            Start date:10/01/2025
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:8
                                                                                                            Start time:17:37:44
                                                                                                            Start date:10/01/2025
                                                                                                            Path:C:\Users\user\Desktop\xJZHVgxQul.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\user\Desktop\xJZHVgxQul.exe"
                                                                                                            Imagebase:0x590000
                                                                                                            File size:1'142'784 bytes
                                                                                                            MD5 hash:20E0718DED5409C8AD729C85E4EACFB1
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2967236057.0000000002ADC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2964047218.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2964047218.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2967236057.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2967236057.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            Reputation:low
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:9
                                                                                                            Start time:17:37:45
                                                                                                            Start date:10/01/2025
                                                                                                            Path:C:\Users\user\AppData\Roaming\eWJxJJ.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Users\user\AppData\Roaming\eWJxJJ.exe
                                                                                                            Imagebase:0xd00000
                                                                                                            File size:1'142'784 bytes
                                                                                                            MD5 hash:20E0718DED5409C8AD729C85E4EACFB1
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Antivirus matches:
                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                            • Detection: 83%, ReversingLabs
                                                                                                            • Detection: 59%, Virustotal, Browse
                                                                                                            Reputation:low
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:10
                                                                                                            Start time:17:37:46
                                                                                                            Start date:10/01/2025
                                                                                                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                            Imagebase:0x7ff693ab0000
                                                                                                            File size:496'640 bytes
                                                                                                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:11
                                                                                                            Start time:17:37:48
                                                                                                            Start date:10/01/2025
                                                                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eWJxJJ" /XML "C:\Users\user\AppData\Local\Temp\tmp75DB.tmp"
                                                                                                            Imagebase:0x240000
                                                                                                            File size:187'904 bytes
                                                                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:12
                                                                                                            Start time:17:37:48
                                                                                                            Start date:10/01/2025
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:13
                                                                                                            Start time:17:37:48
                                                                                                            Start date:10/01/2025
                                                                                                            Path:C:\Users\user\AppData\Roaming\eWJxJJ.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\user\AppData\Roaming\eWJxJJ.exe"
                                                                                                            Imagebase:0xa00000
                                                                                                            File size:1'142'784 bytes
                                                                                                            MD5 hash:20E0718DED5409C8AD729C85E4EACFB1
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.2967765524.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.2967765524.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.2967765524.0000000002E9C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            Has exited:false

                                                                                                            Disassembly

                                                                                                            Reset < >

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:11.5%
                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                              Signature Coverage:1.3%
                                                                                                              Total number of Nodes:235
                                                                                                              Total number of Limit Nodes:13
                                                                                                              execution_graph 34727 1684668 34728 168467a 34727->34728 34729 1684686 34728->34729 34733 1684778 34728->34733 34738 1684218 34729->34738 34731 16846a5 34734 168479d 34733->34734 34742 1684878 34734->34742 34746 1684888 34734->34746 34739 1684223 34738->34739 34754 1685c7c 34739->34754 34741 1686ffb 34741->34731 34744 1684882 34742->34744 34743 168498c 34743->34743 34744->34743 34750 16844e0 34744->34750 34747 16848af 34746->34747 34748 168498c 34747->34748 34749 16844e0 CreateActCtxA 34747->34749 34749->34748 34751 1685918 CreateActCtxA 34750->34751 34753 16859db 34751->34753 34753->34753 34755 1685c87 34754->34755 34758 1685c9c 34755->34758 34757 16871b5 34757->34741 34759 1685ca7 34758->34759 34762 1685ccc 34759->34762 34761 168729a 34761->34757 34763 1685cd7 34762->34763 34766 1685cfc 34763->34766 34765 168738d 34765->34761 34767 1685d07 34766->34767 34769 168868b 34767->34769 34773 168ad38 34767->34773 34768 16886c9 34768->34765 34769->34768 34777 168ce20 34769->34777 34782 168ce30 34769->34782 34787 168ad60 34773->34787 34791 168ad70 34773->34791 34774 168ad4e 34774->34769 34778 168ce30 34777->34778 34779 168ce75 34778->34779 34800 168cfe0 34778->34800 34804 168cfd0 34778->34804 34779->34768 34783 168ce51 34782->34783 34784 168ce75 34783->34784 34785 168cfe0 GetModuleHandleW 34783->34785 34786 168cfd0 GetModuleHandleW 34783->34786 34784->34768 34785->34784 34786->34784 34788 168ad70 34787->34788 34794 168ae59 34788->34794 34789 168ad7f 34789->34774 34793 168ae59 GetModuleHandleW 34791->34793 34792 168ad7f 34792->34774 34793->34792 34795 168ae01 34794->34795 34797 168ae62 34794->34797 34795->34789 34796 168ae9c 34796->34789 34797->34796 34798 168b0a0 GetModuleHandleW 34797->34798 34799 168b0cd 34798->34799 34799->34789 34802 168cfed 34800->34802 34803 168d027 34802->34803 34808 168b840 34802->34808 34803->34779 34806 168cfe0 34804->34806 34805 168d027 34805->34779 34806->34805 34807 168b840 GetModuleHandleW 34806->34807 34807->34805 34809 168b84b 34808->34809 34811 168dd38 34809->34811 34812 168d144 34809->34812 34813 168d14f 34812->34813 34814 1685cfc GetModuleHandleW 34813->34814 34815 168dda7 34814->34815 34815->34811 34816 168d4f8 34817 168d53e 34816->34817 34820 168d6d8 34817->34820 34823 168b850 34820->34823 34824 168d740 DuplicateHandle 34823->34824 34825 168d62b 34824->34825 34838 7bb5983 34840 7bb58d4 34838->34840 34839 7bb59ce 34839->34839 34840->34839 34844 7bb8230 34840->34844 34861 7bb82a6 34840->34861 34879 7bb8240 34840->34879 34845 7bb8234 34844->34845 34896 7bb8f19 34845->34896 34901 7bb8b79 34845->34901 34906 7bb87c4 34845->34906 34911 7bb90a5 34845->34911 34916 7bb87e2 34845->34916 34921 7bb8642 34845->34921 34929 7bb892d 34845->34929 34937 7bb88ce 34845->34937 34942 7bb8895 34845->34942 34950 7bb8696 34845->34950 34958 7bb87d0 34845->34958 34963 7bb8adc 34845->34963 34968 7bb8bd8 34845->34968 34973 7bb8779 34845->34973 34846 7bb8262 34846->34840 34862 7bb8234 34861->34862 34863 7bb82a9 34861->34863 34865 7bb8b79 2 API calls 34862->34865 34866 7bb8f19 2 API calls 34862->34866 34867 7bb8779 2 API calls 34862->34867 34868 7bb8bd8 2 API calls 34862->34868 34869 7bb8adc 2 API calls 34862->34869 34870 7bb87d0 2 API calls 34862->34870 34871 7bb8696 4 API calls 34862->34871 34872 7bb8895 4 API calls 34862->34872 34873 7bb88ce 2 API calls 34862->34873 34874 7bb892d 4 API calls 34862->34874 34875 7bb8642 4 API calls 34862->34875 34876 7bb87e2 2 API calls 34862->34876 34877 7bb90a5 2 API calls 34862->34877 34878 7bb87c4 2 API calls 34862->34878 34863->34840 34864 7bb8262 34864->34840 34865->34864 34866->34864 34867->34864 34868->34864 34869->34864 34870->34864 34871->34864 34872->34864 34873->34864 34874->34864 34875->34864 34876->34864 34877->34864 34878->34864 34880 7bb825a 34879->34880 34882 7bb8b79 2 API calls 34880->34882 34883 7bb8f19 2 API calls 34880->34883 34884 7bb8779 2 API calls 34880->34884 34885 7bb8bd8 2 API calls 34880->34885 34886 7bb8adc 2 API calls 34880->34886 34887 7bb87d0 2 API calls 34880->34887 34888 7bb8696 4 API calls 34880->34888 34889 7bb8895 4 API calls 34880->34889 34890 7bb88ce 2 API calls 34880->34890 34891 7bb892d 4 API calls 34880->34891 34892 7bb8642 4 API calls 34880->34892 34893 7bb87e2 2 API calls 34880->34893 34894 7bb90a5 2 API calls 34880->34894 34895 7bb87c4 2 API calls 34880->34895 34881 7bb8262 34881->34840 34882->34881 34883->34881 34884->34881 34885->34881 34886->34881 34887->34881 34888->34881 34889->34881 34890->34881 34891->34881 34892->34881 34893->34881 34894->34881 34895->34881 34897 7bb8f21 34896->34897 34978 7bb5318 34897->34978 34982 7bb5320 34897->34982 34898 7bb8f43 34902 7bb8b82 34901->34902 34986 7bb5228 34902->34986 34990 7bb5230 34902->34990 34903 7bb8d4f 34907 7bb8f21 34906->34907 34909 7bb5318 ReadProcessMemory 34907->34909 34910 7bb5320 ReadProcessMemory 34907->34910 34908 7bb8f43 34909->34908 34910->34908 34912 7bb90ab 34911->34912 34994 7bb4338 34912->34994 34998 7bb4340 34912->34998 34913 7bb90d1 34917 7bb8785 34916->34917 34917->34916 34918 7bb8797 34917->34918 34919 7bb5228 WriteProcessMemory 34917->34919 34920 7bb5230 WriteProcessMemory 34917->34920 34918->34846 34919->34917 34920->34917 34922 7bb864e 34921->34922 35002 7bb54ac 34922->35002 35006 7bb54b8 34922->35006 35010 7bb4828 34929->35010 35014 7bb4820 34929->35014 34930 7bb8e8d 34930->34846 34931 7bb88ec 34931->34930 34935 7bb4338 ResumeThread 34931->34935 34936 7bb4340 ResumeThread 34931->34936 34932 7bb90d1 34935->34932 34936->34932 34938 7bb88d4 34937->34938 34940 7bb4338 ResumeThread 34938->34940 34941 7bb4340 ResumeThread 34938->34941 34939 7bb90d1 34940->34939 34941->34939 35018 7bb5168 34942->35018 35022 7bb5170 34942->35022 34943 7bb88b3 34944 7bb8dad 34943->34944 34948 7bb5228 WriteProcessMemory 34943->34948 34949 7bb5230 WriteProcessMemory 34943->34949 34944->34846 34945 7bb8c10 34948->34945 34949->34945 34951 7bb864e 34950->34951 34954 7bb54b8 CreateProcessA 34951->34954 34955 7bb54ac CreateProcessA 34951->34955 34952 7bb8797 34952->34846 34953 7bb875a 34953->34952 34956 7bb5228 WriteProcessMemory 34953->34956 34957 7bb5230 WriteProcessMemory 34953->34957 34954->34953 34955->34953 34956->34953 34957->34953 34959 7bb8f81 34958->34959 34961 7bb4828 Wow64SetThreadContext 34959->34961 34962 7bb4820 Wow64SetThreadContext 34959->34962 34960 7bb8f75 34960->34846 34961->34960 34962->34960 34964 7bb8785 34963->34964 34965 7bb8797 34964->34965 34966 7bb5228 WriteProcessMemory 34964->34966 34967 7bb5230 WriteProcessMemory 34964->34967 34965->34846 34966->34964 34967->34964 34969 7bb8bde 34968->34969 34971 7bb5228 WriteProcessMemory 34969->34971 34972 7bb5230 WriteProcessMemory 34969->34972 34970 7bb8c10 34971->34970 34972->34970 34975 7bb8785 34973->34975 34974 7bb8797 34974->34846 34975->34974 34976 7bb5228 WriteProcessMemory 34975->34976 34977 7bb5230 WriteProcessMemory 34975->34977 34976->34975 34977->34975 34979 7bb536b ReadProcessMemory 34978->34979 34981 7bb53af 34979->34981 34981->34898 34983 7bb536b ReadProcessMemory 34982->34983 34985 7bb53af 34983->34985 34985->34898 34987 7bb5278 WriteProcessMemory 34986->34987 34989 7bb52cf 34987->34989 34989->34903 34991 7bb5278 WriteProcessMemory 34990->34991 34993 7bb52cf 34991->34993 34993->34903 34995 7bb4380 ResumeThread 34994->34995 34997 7bb43b1 34995->34997 34997->34913 34999 7bb4380 ResumeThread 34998->34999 35001 7bb43b1 34999->35001 35001->34913 35003 7bb5541 35002->35003 35003->35003 35004 7bb56a6 CreateProcessA 35003->35004 35005 7bb5703 35004->35005 35007 7bb5541 CreateProcessA 35006->35007 35009 7bb5703 35007->35009 35011 7bb486d Wow64SetThreadContext 35010->35011 35013 7bb48b5 35011->35013 35013->34931 35015 7bb486d Wow64SetThreadContext 35014->35015 35017 7bb48b5 35015->35017 35017->34931 35019 7bb51b0 VirtualAllocEx 35018->35019 35021 7bb51ed 35019->35021 35021->34943 35023 7bb51b0 VirtualAllocEx 35022->35023 35025 7bb51ed 35023->35025 35025->34943 34826 579fce0 34827 579fce1 34826->34827 34829 1685cfc GetModuleHandleW 34827->34829 34830 579fd02 34827->34830 34831 16883c8 34827->34831 34829->34830 34832 1688403 34831->34832 34834 168868b 34832->34834 34837 168ad38 GetModuleHandleW 34832->34837 34833 16886c9 34833->34830 34834->34833 34835 168ce20 GetModuleHandleW 34834->34835 34836 168ce30 GetModuleHandleW 34834->34836 34835->34833 34836->34833 34837->34834 35026 7bb93c0 35027 7bb954b 35026->35027 35029 7bb93e6 35026->35029 35029->35027 35030 7bb62bc 35029->35030 35031 7bb9640 PostMessageW 35030->35031 35032 7bb96ac 35031->35032 35032->35029

                                                                                                              Executed Functions

                                                                                                              Function 01684B00 Relevance: 1.6, Strings: 1, Instructions: 308COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1746774840.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1680000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: `Q^q
                                                                                                              • API String ID: 0-1948671464
                                                                                                              • Opcode ID: 3edf97c2c7013b4ab359437b5f6c577fc867242c2ccc6559b5a74e72f419bb9d
                                                                                                              • Instruction ID: 16d2a760a5f8535f7e48e5b6188b03d61211b8e712d83b543d04b35f966acfe0
                                                                                                              • Opcode Fuzzy Hash: 3edf97c2c7013b4ab359437b5f6c577fc867242c2ccc6559b5a74e72f419bb9d
                                                                                                              • Instruction Fuzzy Hash: 51A17A676005438BC715757A8C1A7663AC7976A02CF29D398C26DAF7E3EF92C50283C6
                                                                                                              Function 07BBA880 Relevance: .4, Instructions: 353COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1768128457.0000000007BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7bb0000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7c57c4eacb48b3582b8d127266265474459d03db497bb9ba8061f6e6651516fd
                                                                                                              • Instruction ID: 020ad88fb4836ae68af3ff47f07600269f9de27764a1b3a051ce80326eb71cad
                                                                                                              • Opcode Fuzzy Hash: 7c57c4eacb48b3582b8d127266265474459d03db497bb9ba8061f6e6651516fd
                                                                                                              • Instruction Fuzzy Hash: A1D1AEB0B016058FEB25EB75C950BBEB7F6AF89600F1084AED9459B390EB75D802C751
                                                                                                              Function 01684218 Relevance: .1, Instructions: 122COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1746774840.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1680000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b31706ed19655187e155323b6d71d6b2c01199b6aa66bec55cdb50c16c051569
                                                                                                              • Instruction ID: 752ca0212349a9963bf999faa24668cff85884a8297bcc6ef9d00c4e2a496087
                                                                                                              • Opcode Fuzzy Hash: b31706ed19655187e155323b6d71d6b2c01199b6aa66bec55cdb50c16c051569
                                                                                                              • Instruction Fuzzy Hash: 80519070E012099FCB08DFA9D8949AEBBF2FF88300F14852AD419AB364DB3599468B54
                                                                                                              Function 01686F92 Relevance: .1, Instructions: 122COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1746774840.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1680000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 186d8697219b695f0817e432ec515a7a2ca627f989c5f9355598ee8898078cc8
                                                                                                              • Instruction ID: c9382f14d323c72f083ca1593671426e4f87b87c855aab0763b90c6104ff1e98
                                                                                                              • Opcode Fuzzy Hash: 186d8697219b695f0817e432ec515a7a2ca627f989c5f9355598ee8898078cc8
                                                                                                              • Instruction Fuzzy Hash: 0E51A270E01209DFCB08DFA9D8949AEBBF2FF88300F148529D419AB364DB359846CF94
                                                                                                              Function 07BB54AC Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 430 7bb54ac-7bb554d 432 7bb554f-7bb5559 430->432 433 7bb5586-7bb55a6 430->433 432->433 434 7bb555b-7bb555d 432->434 440 7bb55a8-7bb55b2 433->440 441 7bb55df-7bb560e 433->441 435 7bb555f-7bb5569 434->435 436 7bb5580-7bb5583 434->436 438 7bb556b 435->438 439 7bb556d-7bb557c 435->439 436->433 438->439 439->439 443 7bb557e 439->443 440->441 442 7bb55b4-7bb55b6 440->442 449 7bb5610-7bb561a 441->449 450 7bb5647-7bb5701 CreateProcessA 441->450 444 7bb55d9-7bb55dc 442->444 445 7bb55b8-7bb55c2 442->445 443->436 444->441 447 7bb55c6-7bb55d5 445->447 448 7bb55c4 445->448 447->447 451 7bb55d7 447->451 448->447 449->450 452 7bb561c-7bb561e 449->452 461 7bb570a-7bb5790 450->461 462 7bb5703-7bb5709 450->462 451->444 454 7bb5641-7bb5644 452->454 455 7bb5620-7bb562a 452->455 454->450 456 7bb562e-7bb563d 455->456 457 7bb562c 455->457 456->456 459 7bb563f 456->459 457->456 459->454 472 7bb5792-7bb5796 461->472 473 7bb57a0-7bb57a4 461->473 462->461 472->473 474 7bb5798 472->474 475 7bb57a6-7bb57aa 473->475 476 7bb57b4-7bb57b8 473->476 474->473 475->476 477 7bb57ac 475->477 478 7bb57ba-7bb57be 476->478 479 7bb57c8-7bb57cc 476->479 477->476 478->479 480 7bb57c0 478->480 481 7bb57de-7bb57e5 479->481 482 7bb57ce-7bb57d4 479->482 480->479 483 7bb57fc 481->483 484 7bb57e7-7bb57f6 481->484 482->481 486 7bb57fd 483->486 484->483 486->486
                                                                                                              APIs
                                                                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07BB56EE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1768128457.0000000007BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7bb0000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 963392458-0
                                                                                                              • Opcode ID: 477e74ffd75a9529aba47a2ee28cbfb7e8d861d091e4ee53f1e79514eccaef37
                                                                                                              • Instruction ID: 4251a16b2fa0d3b0c69e2843cbfef4009aaa3c1a5479ee78300f7e29df0a4338
                                                                                                              • Opcode Fuzzy Hash: 477e74ffd75a9529aba47a2ee28cbfb7e8d861d091e4ee53f1e79514eccaef37
                                                                                                              • Instruction Fuzzy Hash: FBA193B1D0021ADFEB20DF69C8417EDBBB2FF44314F1485A9E849A7240D7B49995CF92
                                                                                                              Function 07BB54B8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 487 7bb54b8-7bb554d 489 7bb554f-7bb5559 487->489 490 7bb5586-7bb55a6 487->490 489->490 491 7bb555b-7bb555d 489->491 497 7bb55a8-7bb55b2 490->497 498 7bb55df-7bb560e 490->498 492 7bb555f-7bb5569 491->492 493 7bb5580-7bb5583 491->493 495 7bb556b 492->495 496 7bb556d-7bb557c 492->496 493->490 495->496 496->496 500 7bb557e 496->500 497->498 499 7bb55b4-7bb55b6 497->499 506 7bb5610-7bb561a 498->506 507 7bb5647-7bb5701 CreateProcessA 498->507 501 7bb55d9-7bb55dc 499->501 502 7bb55b8-7bb55c2 499->502 500->493 501->498 504 7bb55c6-7bb55d5 502->504 505 7bb55c4 502->505 504->504 508 7bb55d7 504->508 505->504 506->507 509 7bb561c-7bb561e 506->509 518 7bb570a-7bb5790 507->518 519 7bb5703-7bb5709 507->519 508->501 511 7bb5641-7bb5644 509->511 512 7bb5620-7bb562a 509->512 511->507 513 7bb562e-7bb563d 512->513 514 7bb562c 512->514 513->513 516 7bb563f 513->516 514->513 516->511 529 7bb5792-7bb5796 518->529 530 7bb57a0-7bb57a4 518->530 519->518 529->530 531 7bb5798 529->531 532 7bb57a6-7bb57aa 530->532 533 7bb57b4-7bb57b8 530->533 531->530 532->533 534 7bb57ac 532->534 535 7bb57ba-7bb57be 533->535 536 7bb57c8-7bb57cc 533->536 534->533 535->536 537 7bb57c0 535->537 538 7bb57de-7bb57e5 536->538 539 7bb57ce-7bb57d4 536->539 537->536 540 7bb57fc 538->540 541 7bb57e7-7bb57f6 538->541 539->538 543 7bb57fd 540->543 541->540 543->543
                                                                                                              APIs
                                                                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07BB56EE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1768128457.0000000007BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7bb0000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 963392458-0
                                                                                                              • Opcode ID: 52818966714ba46bc3e00a8458e087c22f67744d60349a7143bffe60524d752e
                                                                                                              • Instruction ID: a4d6acfe5406db1601bc082d81499b03be5530ce07dfd8b2956b86b328f2c928
                                                                                                              • Opcode Fuzzy Hash: 52818966714ba46bc3e00a8458e087c22f67744d60349a7143bffe60524d752e
                                                                                                              • Instruction Fuzzy Hash: D59172B1D0021ADFEB20DF69C8407EDBBB2FF48314F1485A9E849A7250D7B49995CF92
                                                                                                              Function 0168AE59 Relevance: 1.7, APIs: 1, Instructions: 236COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 544 168ae59-168ae60 545 168ae01-168ae35 544->545 546 168ae62-168ae77 544->546 557 168ae44-168ae4c 545->557 558 168ae37-168ae42 545->558 548 168ae79-168ae86 call 1689494 546->548 549 168aea3-168aea7 546->549 559 168ae88 548->559 560 168ae9c 548->560 551 168aea9-168aeb3 549->551 552 168aebb-168aefc 549->552 551->552 561 168af09-168af17 552->561 562 168aefe-168af06 552->562 563 168ae4f-168ae54 557->563 558->563 609 168ae8e call 168b100 559->609 610 168ae8e call 168b0f1 559->610 560->549 564 168af19-168af1e 561->564 565 168af3b-168af3d 561->565 562->561 567 168af29 564->567 568 168af20-168af27 call 168a1d0 564->568 570 168af40-168af47 565->570 566 168ae94-168ae96 566->560 569 168afd8-168aff1 566->569 572 168af2b-168af39 567->572 568->572 584 168aff2-168b050 569->584 573 168af49-168af51 570->573 574 168af54-168af5b 570->574 572->570 573->574 575 168af68-168af71 call 168a1e0 574->575 576 168af5d-168af65 574->576 582 168af7e-168af83 575->582 583 168af73-168af7b 575->583 576->575 585 168afa1-168afae 582->585 586 168af85-168af8c 582->586 583->582 602 168b052-168b098 584->602 591 168afb0-168afce 585->591 592 168afd1-168afd7 585->592 586->585 587 168af8e-168af9e call 168a1f0 call 168a200 586->587 587->585 591->592 604 168b09a-168b09d 602->604 605 168b0a0-168b0cb GetModuleHandleW 602->605 604->605 606 168b0cd-168b0d3 605->606 607 168b0d4-168b0e8 605->607 606->607 609->566 610->566
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0168B0BE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1746774840.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1680000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: HandleModule
                                                                                                              • String ID:
                                                                                                              • API String ID: 4139908857-0
                                                                                                              • Opcode ID: 1597195d4971cde65f626f1bb67c33151f19924c3d57220d13d8e8a2a8f4dfeb
                                                                                                              • Instruction ID: 76e502e5016760e92c1cb347eff2830a7a82cd6715b03955113333736ff317f5
                                                                                                              • Opcode Fuzzy Hash: 1597195d4971cde65f626f1bb67c33151f19924c3d57220d13d8e8a2a8f4dfeb
                                                                                                              • Instruction Fuzzy Hash: 239166B0A00B458FD725EF69D85475ABBF1FF88200F048A2ED486DBB91D735E949CB90
                                                                                                              Function 016844E0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 611 16844e0-16859d9 CreateActCtxA 614 16859db-16859e1 611->614 615 16859e2-1685a3c 611->615 614->615 622 1685a4b-1685a4f 615->622 623 1685a3e-1685a41 615->623 624 1685a60 622->624 625 1685a51-1685a5d 622->625 623->622 627 1685a61 624->627 625->624 627->627
                                                                                                              APIs
                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 016859C9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1746774840.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1680000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Create
                                                                                                              • String ID:
                                                                                                              • API String ID: 2289755597-0
                                                                                                              • Opcode ID: a05fe7ef42691d87cccd955fe72690a21e64d3e7cfc49649ad082c94e71e64ef
                                                                                                              • Instruction ID: b1afa7ce82085016e3b2a18eee509f75726aeff1cb2deb4b6e77c231e8a6bb37
                                                                                                              • Opcode Fuzzy Hash: a05fe7ef42691d87cccd955fe72690a21e64d3e7cfc49649ad082c94e71e64ef
                                                                                                              • Instruction Fuzzy Hash: 6641CFB0C00719CBDB24DFA9C884B9EFBF5BF49304F24816AD409AB255DB756946CF90
                                                                                                              Function 0168590D Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 628 168590d-16859d9 CreateActCtxA 630 16859db-16859e1 628->630 631 16859e2-1685a3c 628->631 630->631 638 1685a4b-1685a4f 631->638 639 1685a3e-1685a41 631->639 640 1685a60 638->640 641 1685a51-1685a5d 638->641 639->638 643 1685a61 640->643 641->640 643->643
                                                                                                              APIs
                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 016859C9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1746774840.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1680000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Create
                                                                                                              • String ID:
                                                                                                              • API String ID: 2289755597-0
                                                                                                              • Opcode ID: 6e16080fad84194d8a97015e1ce3dba54b45921d71ec3142bdaf29c53a10ea18
                                                                                                              • Instruction ID: ca9d8fe16a30d56f97821af3adfef47931f841c67fd93d74281c3fd0b01e01e7
                                                                                                              • Opcode Fuzzy Hash: 6e16080fad84194d8a97015e1ce3dba54b45921d71ec3142bdaf29c53a10ea18
                                                                                                              • Instruction Fuzzy Hash: A841DFB0C00719CEDB24DFA9C884ADEFBF5BF49304F24816AD409AB255DB756986CF90
                                                                                                              Function 07BB5228 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 644 7bb5228-7bb527e 646 7bb528e-7bb52cd WriteProcessMemory 644->646 647 7bb5280-7bb528c 644->647 649 7bb52cf-7bb52d5 646->649 650 7bb52d6-7bb5306 646->650 647->646 649->650
                                                                                                              APIs
                                                                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07BB52C0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1768128457.0000000007BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7bb0000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MemoryProcessWrite
                                                                                                              • String ID:
                                                                                                              • API String ID: 3559483778-0
                                                                                                              • Opcode ID: 8b52ae45d5bc70247efb4ba216409bf3421bb8ad736c2a735969c0ef51cf2048
                                                                                                              • Instruction ID: 391c0169083eb2a2714bb7cd377c40679b32735b0aedc915ede22bc626df28f5
                                                                                                              • Opcode Fuzzy Hash: 8b52ae45d5bc70247efb4ba216409bf3421bb8ad736c2a735969c0ef51cf2048
                                                                                                              • Instruction Fuzzy Hash: 6A215AB6900319DFDB10CFA9C9857EEBBF5FF48310F10882AE958A7250D7789554CBA1
                                                                                                              Function 07BB5230 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 654 7bb5230-7bb527e 656 7bb528e-7bb52cd WriteProcessMemory 654->656 657 7bb5280-7bb528c 654->657 659 7bb52cf-7bb52d5 656->659 660 7bb52d6-7bb5306 656->660 657->656 659->660
                                                                                                              APIs
                                                                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07BB52C0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1768128457.0000000007BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7bb0000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MemoryProcessWrite
                                                                                                              • String ID:
                                                                                                              • API String ID: 3559483778-0
                                                                                                              • Opcode ID: 7127bed116eb2d4c92ebf4446cd130302fe8574431d6ab6951e22e79a3a71624
                                                                                                              • Instruction ID: 95f16f50d602144a087c4d4ed84dca454b844c30e1b5feb86c2b9657999c26bc
                                                                                                              • Opcode Fuzzy Hash: 7127bed116eb2d4c92ebf4446cd130302fe8574431d6ab6951e22e79a3a71624
                                                                                                              • Instruction Fuzzy Hash: F12139B19003599FDB20DFA9C885BEEBBF5FF48310F108429E958A7250C7789954CFA5
                                                                                                              Function 07BB5318 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 674 7bb5318-7bb53ad ReadProcessMemory 677 7bb53af-7bb53b5 674->677 678 7bb53b6-7bb53e6 674->678 677->678
                                                                                                              APIs
                                                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07BB53A0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1768128457.0000000007BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7bb0000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MemoryProcessRead
                                                                                                              • String ID:
                                                                                                              • API String ID: 1726664587-0
                                                                                                              • Opcode ID: 71ddbf9fb85280161461b65e6290a9a2897fcda21d2ca6077d7e1b4a2c77886d
                                                                                                              • Instruction ID: 1b8c9b1b1dd84661fc0157b78141a86df36eb2978ce9af46a836fe101373d695
                                                                                                              • Opcode Fuzzy Hash: 71ddbf9fb85280161461b65e6290a9a2897fcda21d2ca6077d7e1b4a2c77886d
                                                                                                              • Instruction Fuzzy Hash: F52136B18002199FDB10CFA9C981BEEFBF4FF48320F10882AE959A7250C7789544CBA1
                                                                                                              Function 07BB4820 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 664 7bb4820-7bb4873 666 7bb4883-7bb48b3 Wow64SetThreadContext 664->666 667 7bb4875-7bb4881 664->667 669 7bb48bc-7bb48ec 666->669 670 7bb48b5-7bb48bb 666->670 667->666 670->669
                                                                                                              APIs
                                                                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07BB48A6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1768128457.0000000007BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7bb0000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ContextThreadWow64
                                                                                                              • String ID:
                                                                                                              • API String ID: 983334009-0
                                                                                                              • Opcode ID: 8090da596a6eab9d3654298de3864582efdd4e440a4002f7f30b163d6d4f00ba
                                                                                                              • Instruction ID: 5e47242fe505353b9155b3ae672a927b0578f5a404ffb06def123055e4167535
                                                                                                              • Opcode Fuzzy Hash: 8090da596a6eab9d3654298de3864582efdd4e440a4002f7f30b163d6d4f00ba
                                                                                                              • Instruction Fuzzy Hash: E32138B1D002498FDB10DFA9C5857EEBBF4FF48324F14842AD859A7241D7789945CFA4
                                                                                                              Function 0168B850 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 682 168b850-168d7d4 DuplicateHandle 684 168d7dd-168d7fa 682->684 685 168d7d6-168d7dc 682->685 685->684
                                                                                                              APIs
                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0168D706,?,?,?,?,?), ref: 0168D7C7
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1746774840.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1680000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DuplicateHandle
                                                                                                              • String ID:
                                                                                                              • API String ID: 3793708945-0
                                                                                                              • Opcode ID: acf74200864e92307780ad0eb2a447404f9b82c358045633adafacd2e0b7016e
                                                                                                              • Instruction ID: 4c40ef2696ef59958df0e2444f4dc1c1e4594e9d62d1deea5d53807a51014cda
                                                                                                              • Opcode Fuzzy Hash: acf74200864e92307780ad0eb2a447404f9b82c358045633adafacd2e0b7016e
                                                                                                              • Instruction Fuzzy Hash: 8B21E3B5900248EFDB10DF9AD984AEEBBF4EB48310F14842AE954A7350D374A944CFA4
                                                                                                              Function 07BB5320 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07BB53A0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1768128457.0000000007BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7bb0000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MemoryProcessRead
                                                                                                              • String ID:
                                                                                                              • API String ID: 1726664587-0
                                                                                                              • Opcode ID: a581171e18c4086e1ba42b65be503663597b2e9c5e2ad3fd5a8a39a84e2cc02f
                                                                                                              • Instruction ID: faa7b90722d3acea8b003969bca244385169abccacd0bb533c3b564cb5c6dec9
                                                                                                              • Opcode Fuzzy Hash: a581171e18c4086e1ba42b65be503663597b2e9c5e2ad3fd5a8a39a84e2cc02f
                                                                                                              • Instruction Fuzzy Hash: B02128B18002599FDB10DFAAC880AEEFBF5FF48310F108429E959A7250C7789554CBA5
                                                                                                              Function 07BB4828 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 688 7bb4828-7bb4873 690 7bb4883-7bb48b3 Wow64SetThreadContext 688->690 691 7bb4875-7bb4881 688->691 693 7bb48bc-7bb48ec 690->693 694 7bb48b5-7bb48bb 690->694 691->690 694->693
                                                                                                              APIs
                                                                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07BB48A6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1768128457.0000000007BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7bb0000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ContextThreadWow64
                                                                                                              • String ID:
                                                                                                              • API String ID: 983334009-0
                                                                                                              • Opcode ID: c43288b9eac77f9c31693ccd1ec310798979fb6fabd51509f052bbf2b961f672
                                                                                                              • Instruction ID: b7490f3c0d88da665da7d4edfd3dcf3ead045a0e5366fcd344bfe3fd7ce422bf
                                                                                                              • Opcode Fuzzy Hash: c43288b9eac77f9c31693ccd1ec310798979fb6fabd51509f052bbf2b961f672
                                                                                                              • Instruction Fuzzy Hash: 352138B1D002498FDB10DFAAC8857EEBBF4FF88324F148429D859A7241C7789944CFA4
                                                                                                              Function 07BB5168 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07BB51DE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1768128457.0000000007BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7bb0000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 4275171209-0
                                                                                                              • Opcode ID: 90676ba22bf197255ec754cb5417813fea69ac4f600a735e0178709d4781c046
                                                                                                              • Instruction ID: 71d62d6a7536126e5deab8d2c1f2644c4f52296973e6b065667b4eda3c188918
                                                                                                              • Opcode Fuzzy Hash: 90676ba22bf197255ec754cb5417813fea69ac4f600a735e0178709d4781c046
                                                                                                              • Instruction Fuzzy Hash: 2B116AB29002099FDB20DFA9C8457EEBBF5EF48320F108819D555A7250C7759954CF90
                                                                                                              Function 07BB5170 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07BB51DE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1768128457.0000000007BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7bb0000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 4275171209-0
                                                                                                              • Opcode ID: ae1348326b36f6e197881b9eb42f72707cd66ab45a267a4ca47b8e6e045540f9
                                                                                                              • Instruction ID: 62239c2a8e6c4c72724a61836bc01368618c0f1b6be3bc356fcb377e101017aa
                                                                                                              • Opcode Fuzzy Hash: ae1348326b36f6e197881b9eb42f72707cd66ab45a267a4ca47b8e6e045540f9
                                                                                                              • Instruction Fuzzy Hash: 7F116AB18002499FDB20DFA9C844BDEBFF5EF88320F108419D555A7250C7759554CFA1
                                                                                                              Function 07BB4338 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1768128457.0000000007BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7bb0000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ResumeThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 947044025-0
                                                                                                              • Opcode ID: d2bfbad6de14cd7ca2d788eaef9ca2e91fb4e4a8d930cb649a638aefb1d39dfa
                                                                                                              • Instruction ID: b52aa777dc2863c723bf878f2bbe5f3b503e1c911667e1491e2400f60ccfdbfd
                                                                                                              • Opcode Fuzzy Hash: d2bfbad6de14cd7ca2d788eaef9ca2e91fb4e4a8d930cb649a638aefb1d39dfa
                                                                                                              • Instruction Fuzzy Hash: 4C1188B19002498FDB20DFA9C5457EEFBF4EF88320F248829C459A7250C778A944CFA4
                                                                                                              Function 07BB4340 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1768128457.0000000007BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7bb0000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ResumeThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 947044025-0
                                                                                                              • Opcode ID: 79e2d38dffebb1a92b18861880c1f11f9e25f17967c7e4078ecff8b4246aa047
                                                                                                              • Instruction ID: 0e7202a03df92ba833d5b884873468c8d34f961c5f8364bffccc0aa29aa44ad0
                                                                                                              • Opcode Fuzzy Hash: 79e2d38dffebb1a92b18861880c1f11f9e25f17967c7e4078ecff8b4246aa047
                                                                                                              • Instruction Fuzzy Hash: 28116AB19003488FDB20DFAAC4447EEFBF4EF88324F248429C459A7250C774A544CF94
                                                                                                              Function 0168B058 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0168B0BE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1746774840.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1680000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: HandleModule
                                                                                                              • String ID:
                                                                                                              • API String ID: 4139908857-0
                                                                                                              • Opcode ID: 385d60347a75193434ab48b6cb39e421ce7f3a7a5a85fa91747c60f2e155c7ff
                                                                                                              • Instruction ID: 6c77764024898d816011229c99500d971a1c939c67d32d4db774039aa4f4fee6
                                                                                                              • Opcode Fuzzy Hash: 385d60347a75193434ab48b6cb39e421ce7f3a7a5a85fa91747c60f2e155c7ff
                                                                                                              • Instruction Fuzzy Hash: 8D1110B5C002498FDB10DF9AD844BDEFBF4EF88324F10852AD568A7210D379A545CFA1
                                                                                                              Function 07BB62BC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 07BB969D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1768128457.0000000007BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7bb0000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessagePost
                                                                                                              • String ID:
                                                                                                              • API String ID: 410705778-0
                                                                                                              • Opcode ID: 325cb9075d409465a47af028d062f66ae16c77751f9851732445bd72671456aa
                                                                                                              • Instruction ID: 4ef2403714a24c91e89432be8ef41b13a9ade305760b0e5c1a21df1dd874f227
                                                                                                              • Opcode Fuzzy Hash: 325cb9075d409465a47af028d062f66ae16c77751f9851732445bd72671456aa
                                                                                                              • Instruction Fuzzy Hash: C21136B5800309DFDB20DF8AC484BEEBBF8EB48320F108459E959A7210C375A944CFA4
                                                                                                              Function 07BB9639 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 07BB969D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1768128457.0000000007BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7bb0000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessagePost
                                                                                                              • String ID:
                                                                                                              • API String ID: 410705778-0
                                                                                                              • Opcode ID: 2a7b78b90c12af1600a6c631da106e56178ab1b06598980c1acf0355cf1e5d5f
                                                                                                              • Instruction ID: 59b1950228df43fee510368d66d33d998dd23e38fc597eab43974e56be8aeb97
                                                                                                              • Opcode Fuzzy Hash: 2a7b78b90c12af1600a6c631da106e56178ab1b06598980c1acf0355cf1e5d5f
                                                                                                              • Instruction Fuzzy Hash: F31115B6800319DFDB10DF99D585BEEBBF4FB08320F20885AD958A7250D374A684CFA5
                                                                                                              Function 0579C998 Relevance: .7, Instructions: 736COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4c3cb4d4e78feaa4bab02cdbfa0d1d2a75c8453c945fb5a6f840b9c2f9f42bac
                                                                                                              • Instruction ID: cbab2140aa02b880f4ee3573f6fb6b7613dc06b78e95c25e2dcc489e966daf34
                                                                                                              • Opcode Fuzzy Hash: 4c3cb4d4e78feaa4bab02cdbfa0d1d2a75c8453c945fb5a6f840b9c2f9f42bac
                                                                                                              • Instruction Fuzzy Hash: 8A721C319106098FCF15EF68D898AEDBBB1FF45300F448299D54AA7265EF30AAC5CF91
                                                                                                              Function 0579DE60 Relevance: .5, Instructions: 500COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7ed324fd66d1cb7151912b8c124a1b9c4f12f2d5354f409d46d1244103ed06c2
                                                                                                              • Instruction ID: 09962027f3f86feee3d5480bc83cef4d4d687b1b58b2c46b53cc421a59faa1a0
                                                                                                              • Opcode Fuzzy Hash: 7ed324fd66d1cb7151912b8c124a1b9c4f12f2d5354f409d46d1244103ed06c2
                                                                                                              • Instruction Fuzzy Hash: 03221D30A10615CFCF18DF69D888A9DB7B6BF89300F5485A9D80AAB365DB30ED45DF60
                                                                                                              Function 0579CAC8 Relevance: .4, Instructions: 418COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4004bf00189e8d916f7c8c5cb5f04ee1983a32f680a14b08eca3eb323ae2aa93
                                                                                                              • Instruction ID: d94fa003d1d24c753f8c1a06123ff29684c59f3ba9423e876f5dff73303c11f0
                                                                                                              • Opcode Fuzzy Hash: 4004bf00189e8d916f7c8c5cb5f04ee1983a32f680a14b08eca3eb323ae2aa93
                                                                                                              • Instruction Fuzzy Hash: D5120D319006198FDF25DF68D8986DDB7B1BF45304F408299D94AA7269EF30AEC6CF81
                                                                                                              Function 0579BF10 Relevance: .2, Instructions: 208COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 00e5033a20a476c55bf896d1b00b5fbb5f851ba28601f812a65f63144cffe8b7
                                                                                                              • Instruction ID: 70b13ad45da8b39aac4d2d6ab3f24a317aed4bbf4184938e22c846121c604e70
                                                                                                              • Opcode Fuzzy Hash: 00e5033a20a476c55bf896d1b00b5fbb5f851ba28601f812a65f63144cffe8b7
                                                                                                              • Instruction Fuzzy Hash: A291177191060ACFCF05DF68D880999FBF5FF49310B14879AE819AB256E730E985CF90
                                                                                                              Function 0579ED80 Relevance: .2, Instructions: 198COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7f56fcfbac8e1b2522ab00fe5c86a42ad66606e4dd12d5e9272dfa380feccca6
                                                                                                              • Instruction ID: 95cc3ef375f7763d45842b6e08bf2d47eaa5c05873f490f6d38adde7812b7553
                                                                                                              • Opcode Fuzzy Hash: 7f56fcfbac8e1b2522ab00fe5c86a42ad66606e4dd12d5e9272dfa380feccca6
                                                                                                              • Instruction Fuzzy Hash: A9713D31B04658CFCF09DBB8D588AADB7F6BF89300F158569E806AB354DB719C41DB90
                                                                                                              Function 0579DE31 Relevance: .2, Instructions: 197COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1a0445686ee1da2b53550d42eaa6ddd4c07889c9d9cf0c8107a166f240c376c0
                                                                                                              • Instruction ID: 29fecb840e5094ad63974b6d7acb9ebccac8f734d2b8cfd6695bc8b3a3680b34
                                                                                                              • Opcode Fuzzy Hash: 1a0445686ee1da2b53550d42eaa6ddd4c07889c9d9cf0c8107a166f240c376c0
                                                                                                              • Instruction Fuzzy Hash: 826178307106008FCB19DF79D888BA9BBF6BF89310F4485BCD9469B3A1DB319849CB61
                                                                                                              Function 0579E5C0 Relevance: .2, Instructions: 186COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7fdc1d5a244a3b66d7317f931c44eb50948a94a72ee6f805ea785b38e411ec07
                                                                                                              • Instruction ID: a4f7ddd8ddbf4cdc8a0258c276e277e1fe1b812e3e63baf0626393eadcb72658
                                                                                                              • Opcode Fuzzy Hash: 7fdc1d5a244a3b66d7317f931c44eb50948a94a72ee6f805ea785b38e411ec07
                                                                                                              • Instruction Fuzzy Hash: BF51BE347042448FCF19DF69E8989AD7BFABF89604B1840ADD806DB3A1DB35EC01DB61
                                                                                                              Function 0579B291 Relevance: .2, Instructions: 177COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8ac8ad0b9d441b204cee966cdc388e69170c8072e232561db73d4d23a1d6edb4
                                                                                                              • Instruction ID: 7781f9bd8d21b865fbb9fd6aa4eeecf3c3b066fd6b908defd577be642354e9f1
                                                                                                              • Opcode Fuzzy Hash: 8ac8ad0b9d441b204cee966cdc388e69170c8072e232561db73d4d23a1d6edb4
                                                                                                              • Instruction Fuzzy Hash: AC71BEB9700A00CFCB18DF29C588A59BBF2BF8920471589A9E54ACB772DB31EC45CB50
                                                                                                              Function 0579B0B0 Relevance: .2, Instructions: 172COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fb3b1989d6c418d0656aafb365f995a0f66cf9f81c5ca2e8b0aab2d89935b79a
                                                                                                              • Instruction ID: 33c278914a184a62eba1b0f07e3446957fe18a453abf2d6b5b67ea9265500aa9
                                                                                                              • Opcode Fuzzy Hash: fb3b1989d6c418d0656aafb365f995a0f66cf9f81c5ca2e8b0aab2d89935b79a
                                                                                                              • Instruction Fuzzy Hash: B0718274A056068FCB58CF68E584999FBF1FF48314B1986A9E80ADB312D734EC85CF90
                                                                                                              Function 0579ED70 Relevance: .2, Instructions: 153COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 13e29812b1114400a579aba2a746de36e7fe6a42d37e4c0bab662383feba77f7
                                                                                                              • Instruction ID: b3dcb3502e2c428c7c7beba37797a77b7106285f19167ff3ec9347331e380f90
                                                                                                              • Opcode Fuzzy Hash: 13e29812b1114400a579aba2a746de36e7fe6a42d37e4c0bab662383feba77f7
                                                                                                              • Instruction Fuzzy Hash: 1E518031B046588FCF05DBB8D5489ADBBF6BF89300F15816AE806AB360EB319C45DB90
                                                                                                              Function 0579A5D0 Relevance: .1, Instructions: 110COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4edb3916cb3a85d729bfc7f11abee1c085c97593044b27e2b13a8b9812bde548
                                                                                                              • Instruction ID: e019251400d1fe4f65a6fa37da3ce4849459a2b15c22541ac20580555adc3ff6
                                                                                                              • Opcode Fuzzy Hash: 4edb3916cb3a85d729bfc7f11abee1c085c97593044b27e2b13a8b9812bde548
                                                                                                              • Instruction Fuzzy Hash: C4415C30A00709CFCB04EF78D89499DBBB6FF89304F008599E515AB365EB71AA46CB81
                                                                                                              Function 0579EB54 Relevance: .1, Instructions: 108COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f202df9efdec0b61e826c97739e22577184bb8968d8c30d50f520aa34c04ba69
                                                                                                              • Instruction ID: a84f84094ef53f6a5d1112529444eb4d15073a639b915a93806b32e4c669decb
                                                                                                              • Opcode Fuzzy Hash: f202df9efdec0b61e826c97739e22577184bb8968d8c30d50f520aa34c04ba69
                                                                                                              • Instruction Fuzzy Hash: 40316E317001048FCF28EB7DE848AA977F6EF89725B1405BDE51ACB3A1DA31D805DB60
                                                                                                              Function 0579A5E0 Relevance: .1, Instructions: 101COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a073d8154bfa0aec0707f84a07b8309db2321c96215df9aeee8efff9b63155fb
                                                                                                              • Instruction ID: ebd20448118ae5e6ce82ecc3fbd75743b47f69d400abb6003521b7b58cc71606
                                                                                                              • Opcode Fuzzy Hash: a073d8154bfa0aec0707f84a07b8309db2321c96215df9aeee8efff9b63155fb
                                                                                                              • Instruction Fuzzy Hash: F0414E34A10709CFCB14EFB8D8949DDBBB6FF89304F008569E5156B325EB71AA45CB81
                                                                                                              Function 0579A4C9 Relevance: .1, Instructions: 96COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b81960be9cc05d42441ecee4f01ab74eb41e5616a0848896c8de87ed6585e8df
                                                                                                              • Instruction ID: 46eaca93743aac0a9ee35f3b06b1a866b8ff6ba3ebbc45e9fd295f2e759dea9c
                                                                                                              • Opcode Fuzzy Hash: b81960be9cc05d42441ecee4f01ab74eb41e5616a0848896c8de87ed6585e8df
                                                                                                              • Instruction Fuzzy Hash: 38316D35B01219DFCF09EF75E8588DCB7B6FF89614B058169E905AB360EB30AD45CB90
                                                                                                              Function 0579F1E0 Relevance: .1, Instructions: 93COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3b2756c301cbabc31c9011e46035f9e4f85fc4e030105c6e14d5e0ca4ccc4e03
                                                                                                              • Instruction ID: 06e3207f6d06597ecd49e4b2aec58dd55499c9c6fd18ac3fe0203554cb841c30
                                                                                                              • Opcode Fuzzy Hash: 3b2756c301cbabc31c9011e46035f9e4f85fc4e030105c6e14d5e0ca4ccc4e03
                                                                                                              • Instruction Fuzzy Hash: 7C312F75B005149FDF19DB59D848EAEB7F6EF8C720B1540A9E806EB361DA31EC00DBA1
                                                                                                              Function 0579B09F Relevance: .1, Instructions: 93COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 48a130b60a2000084853b9c99de45d2c24361b6dde7077a8ea09111fe8d44f43
                                                                                                              • Instruction ID: b9581c0c3b7ed038ed264f9638c289a5ae59149db9428654661b21c2953e56ec
                                                                                                              • Opcode Fuzzy Hash: 48a130b60a2000084853b9c99de45d2c24361b6dde7077a8ea09111fe8d44f43
                                                                                                              • Instruction Fuzzy Hash: 64410E75A04606CFCB19CF68E584AA9FBF1FF49300B1986AAD44ADB351D734EC45CB90
                                                                                                              Function 0579E6CF Relevance: .1, Instructions: 85COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 87ffb41eabead0c8f5fbf77ab5ea87673a740bc6fb23b5a3bded919b27a86b56
                                                                                                              • Instruction ID: 52a6ab32d5f453cfd41fc47be4e19fdc888ae4c8d8b174280f7cd7191068fa72
                                                                                                              • Opcode Fuzzy Hash: 87ffb41eabead0c8f5fbf77ab5ea87673a740bc6fb23b5a3bded919b27a86b56
                                                                                                              • Instruction Fuzzy Hash: FE21A1347087808FCB1ADB79E89897D7FE6BF8621031884BED455CB362CE249C06D761
                                                                                                              Function 015DD3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1746420625.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_15dd000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7b1a32cb15caddd8efd59173d33b3e33a3d8c3954a21befda6f59f5f952b3579
                                                                                                              • Instruction ID: bbf7ea31cee21533ca2e2f2ea515f774901804341350aeda10b449474a5e8244
                                                                                                              • Opcode Fuzzy Hash: 7b1a32cb15caddd8efd59173d33b3e33a3d8c3954a21befda6f59f5f952b3579
                                                                                                              • Instruction Fuzzy Hash: CB213671100200DFDB21DF58C9C0B6ABFB5FB84324F20C569D9090F296C376E446C7A1
                                                                                                              Function 015ED01C Relevance: .1, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1746484464.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_15ed000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 44a623a336e53ca1e716349d161cd8ccc818f75b7c910b7cf7fc8c703bd8d0d7
                                                                                                              • Instruction ID: 229e1e58534fc43a5691f11dbe20dadf5c6892678ba01baeea269dcd479dbe09
                                                                                                              • Opcode Fuzzy Hash: 44a623a336e53ca1e716349d161cd8ccc818f75b7c910b7cf7fc8c703bd8d0d7
                                                                                                              • Instruction Fuzzy Hash: 0F210071A04200DFCB19DF58D988B2ABFF5FB84314F28C969D80A4F256D33AD446CA61
                                                                                                              Function 015ED1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1746484464.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_15ed000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e6428ec5b9f6846f36be8f9a902f921bc5b5894ae9cfc13cdb039d0cb98307ff
                                                                                                              • Instruction ID: c019297017bbe0e2b46b7f3fc742cd01e60653d686fb9792b9c55b888201bd51
                                                                                                              • Opcode Fuzzy Hash: e6428ec5b9f6846f36be8f9a902f921bc5b5894ae9cfc13cdb039d0cb98307ff
                                                                                                              • Instruction Fuzzy Hash: C8210775904200DFDB09DF98D5C8B2ABBF5FB84324F20C9ADD9494F296C33AD446CA61
                                                                                                              Function 0579D4D8 Relevance: .1, Instructions: 70COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4056e579cd52ab34416ae95ac995203f04f44054c1e0bc13c2b5a91c28075d2b
                                                                                                              • Instruction ID: 3366534b63258378df477cb24d205e3947d94ecf34cc1b78daf3c170475f8e7f
                                                                                                              • Opcode Fuzzy Hash: 4056e579cd52ab34416ae95ac995203f04f44054c1e0bc13c2b5a91c28075d2b
                                                                                                              • Instruction Fuzzy Hash: 7E215032A106099FCB11EF6DD84099DFBB5FF99310B50C26AE958A7200EB30E994CB91
                                                                                                              Function 0579F1D1 Relevance: .1, Instructions: 68COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c1e3afefa7578844a77f1c6c8d258363e4f0d2aa22760bcd5303d1c78d861b78
                                                                                                              • Instruction ID: 0cea22fccf7fcbd492824ee9f19062373c7415c411527e23bd6b74b08e49348b
                                                                                                              • Opcode Fuzzy Hash: c1e3afefa7578844a77f1c6c8d258363e4f0d2aa22760bcd5303d1c78d861b78
                                                                                                              • Instruction Fuzzy Hash: 57118476B045049FCF18DA59E848DAAB7F5FF8D320B1140B9E909E7361DA31EC01DBA0
                                                                                                              Function 057970F4 Relevance: .1, Instructions: 64COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 222da0dedd40dd74ee2e13eb228dabe2302fb7a267ae356c21fc96130fa16815
                                                                                                              • Instruction ID: 01e9387556d71bdd1b3b449e84d90a6fc7d225bc0d74c5b1802d5a1afbac6645
                                                                                                              • Opcode Fuzzy Hash: 222da0dedd40dd74ee2e13eb228dabe2302fb7a267ae356c21fc96130fa16815
                                                                                                              • Instruction Fuzzy Hash: 2D1186353446018F9F3CDA2AE89497A73EAEFC77213194479E447C7660DA60D841E7A0
                                                                                                              Function 015ED006 Relevance: .1, Instructions: 62COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1746484464.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_15ed000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9bdc5a824239b9923495965f02a2e176570f9fee3bb4052382dcda8c21f9d12b
                                                                                                              • Instruction ID: 6f0424496060c4706102e01591a8a5aecba412e0d2977a4b18cbe2d1a7bbf707
                                                                                                              • Opcode Fuzzy Hash: 9bdc5a824239b9923495965f02a2e176570f9fee3bb4052382dcda8c21f9d12b
                                                                                                              • Instruction Fuzzy Hash: 69219F755093808FDB07CF24D994715BFB1FB46214F28C5EAD8498F2A7C33A980ACB62
                                                                                                              Function 0579FCD0 Relevance: .1, Instructions: 61COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: af7c92a2e8cb426bb44d1a5f749db38eb6b61b0f52e19e2ca8c66c55d2d41171
                                                                                                              • Instruction ID: f2800586a30b3c93437b5c44ebd2f9a6dce33f6ed99ff3d9a26dd6a719554654
                                                                                                              • Opcode Fuzzy Hash: af7c92a2e8cb426bb44d1a5f749db38eb6b61b0f52e19e2ca8c66c55d2d41171
                                                                                                              • Instruction Fuzzy Hash: 0C11A731314A154FD725EB24E851B5FBBDBFBC9700F14852ED187C7785DAB0A5018B91
                                                                                                              Function 0579ECE5 Relevance: .1, Instructions: 59COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fe3437dc376dac54f771f8ce05d622b24dbbab1b26ba4d9d3bd383196554e173
                                                                                                              • Instruction ID: 9cd801679fbb15b52a16305ae68728800415abc007ae779d0bc987b729791a6c
                                                                                                              • Opcode Fuzzy Hash: fe3437dc376dac54f771f8ce05d622b24dbbab1b26ba4d9d3bd383196554e173
                                                                                                              • Instruction Fuzzy Hash: 5711A931709A604FCF1ED738E41C56D3BA9AF8791075945EADC45CB362EA25CC0293F1
                                                                                                              Function 015DD3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1746420625.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_15dd000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                              • Instruction ID: 4cc11a8ca034a8a9964099dbf87e5e2ede88f5ace7b06aeb4285694e06eabedd
                                                                                                              • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                              • Instruction Fuzzy Hash: DF11DF72404240DFDB12CF48D5C4B5ABF71FB94324F24C2A9D9090F256C33AE45ACBA2
                                                                                                              Function 0579FCE0 Relevance: .1, Instructions: 55COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c1435489163593faf8607d007909c434b4c21cab55872475275985e8fbd65016
                                                                                                              • Instruction ID: 0b8f1d96b76098b71ce59eb00832456bcdb687ef1b5d01cc4ec1395c5a6de3f5
                                                                                                              • Opcode Fuzzy Hash: c1435489163593faf8607d007909c434b4c21cab55872475275985e8fbd65016
                                                                                                              • Instruction Fuzzy Hash: 3C118031314A114FE735AA68D891B5FBBDBFBC8B10F10462DD287C7788DAB5A9414B90
                                                                                                              Function 0579F590 Relevance: .1, Instructions: 54COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 894e7dfad47f11ee93149572a19b594176be807f281f19d4a0d74b3d4d41a4b7
                                                                                                              • Instruction ID: 1a338ce5bea0e43359277317de9c5e99bd5844e0eb0b1306c53a3ba648fbf8ad
                                                                                                              • Opcode Fuzzy Hash: 894e7dfad47f11ee93149572a19b594176be807f281f19d4a0d74b3d4d41a4b7
                                                                                                              • Instruction Fuzzy Hash: B9116772A00B5287EB009F6DE844281B365FF95324F1A877ACD4D3F302EB71798487A0
                                                                                                              Function 0579FF30 Relevance: .1, Instructions: 53COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d36a61e8d585264956ed08ff8e3eba283029d2d60426937b4696217d5fbd1f3f
                                                                                                              • Instruction ID: 9c89f96914f2d280326fa494f7407c20782b77d7b9d57bbd785e7980dda36735
                                                                                                              • Opcode Fuzzy Hash: d36a61e8d585264956ed08ff8e3eba283029d2d60426937b4696217d5fbd1f3f
                                                                                                              • Instruction Fuzzy Hash: BB0192B13083848BDF1EE775A50476AB7EBAF46245F04006DD90BC2285EF34C841E775
                                                                                                              Function 015ED1CF Relevance: .1, Instructions: 53COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1746484464.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_15ed000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                              • Instruction ID: a570c9cd2bee0fa4d5ae8d94bbd9a5307726d85d150342f19139aa2894bfdb13
                                                                                                              • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                              • Instruction Fuzzy Hash: FE118B75904280DFDB16CF54D5C8B19BFB1FB84224F24C6AAD8494F696C33AD44ACB61
                                                                                                              Function 0579F58F Relevance: .1, Instructions: 52COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e98f72a77f2f09139b346e831af2f9cd9308bae4b889eebf2d1fcabc8869cb79
                                                                                                              • Instruction ID: 30370fcaf79a65596038a5f78aaf78b6c589faf2195aa8e51787d21d4b34cd6c
                                                                                                              • Opcode Fuzzy Hash: e98f72a77f2f09139b346e831af2f9cd9308bae4b889eebf2d1fcabc8869cb79
                                                                                                              • Instruction Fuzzy Hash: AE114972E00B5286EB00DF6CE844281B365FF95324F1A8B7ACD4D3F356EB75698487A0
                                                                                                              Function 015DD745 Relevance: .0, Instructions: 45COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1746420625.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_15dd000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: dccb3145a14d87e506ff31c10cb068346be0196c54a77e5c7db2f5e442291ee5
                                                                                                              • Instruction ID: d52c89bbeccc02aa0094f37cc5fdc3ca928254be6d6f432fc430c7676e7a3315
                                                                                                              • Opcode Fuzzy Hash: dccb3145a14d87e506ff31c10cb068346be0196c54a77e5c7db2f5e442291ee5
                                                                                                              • Instruction Fuzzy Hash: 3B01FC310053809AE7308E5DCD8475BBFE8FF41324F08C969ED090E1C6C2399440C7B1
                                                                                                              Function 0579AFDF Relevance: .0, Instructions: 45COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4247b8057d2d26acaed2bdcdf4f91b6895bdfa0015c8f7ae537e4304a68eaf27
                                                                                                              • Instruction ID: 19e2434c456491c4e704ddd1b76566caef84f9ab0331716a57104318dffa5ea2
                                                                                                              • Opcode Fuzzy Hash: 4247b8057d2d26acaed2bdcdf4f91b6895bdfa0015c8f7ae537e4304a68eaf27
                                                                                                              • Instruction Fuzzy Hash: DCF0C8B23047415FCB159F6DB89885ABFEAEFC9220305857AF10ACB321CE61DD4A9760
                                                                                                              Function 0579A818 Relevance: .0, Instructions: 44COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 17cf1396c5d9b73cc2ad7c7608ca333840e164418cadc67c8afbe7d0d573adea
                                                                                                              • Instruction ID: 5b8b0181f3cfa84bb7bf1b01e409bccc01f6b8a60c3b4ab38b444450a34c1484
                                                                                                              • Opcode Fuzzy Hash: 17cf1396c5d9b73cc2ad7c7608ca333840e164418cadc67c8afbe7d0d573adea
                                                                                                              • Instruction Fuzzy Hash: 89014031A01B048FDB29EF35D44499A77B6FF85340B50C56ED5464B360EB31D982DB50
                                                                                                              Function 0579ABDB Relevance: .0, Instructions: 43COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1799614a724d7668c810736b2481196a73105f4e4cc8634075e8d2dacab09593
                                                                                                              • Instruction ID: eee2696d325d6b38ef49b61b491931692d6824327dda7565959d5e14c40d1765
                                                                                                              • Opcode Fuzzy Hash: 1799614a724d7668c810736b2481196a73105f4e4cc8634075e8d2dacab09593
                                                                                                              • Instruction Fuzzy Hash: 0501D6317047008BEF197674A4095FE7772AFC2211F08456DD6455B350DF30D98297E1
                                                                                                              Function 0579DC5F Relevance: .0, Instructions: 40COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c4b9b799b50d499b082eed109fd10a48157c61280d20444a219fbb3f6eae27bd
                                                                                                              • Instruction ID: 48479951b0ddc49d07693c4d21a0972b4f9a00dbf8db6a78b21c18d37e9adcb1
                                                                                                              • Opcode Fuzzy Hash: c4b9b799b50d499b082eed109fd10a48157c61280d20444a219fbb3f6eae27bd
                                                                                                              • Instruction Fuzzy Hash: BBF0BB353046104F8F2D9F2AE944D3677E9AF9761131A44A9E806CB371DAA0DC41E7F4
                                                                                                              Function 0579A808 Relevance: .0, Instructions: 40COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 44503ded277d2f59ba6761883ae90ba1cfd11ae04a43e61f397150fbee1068f4
                                                                                                              • Instruction ID: f1af745ed5b16540b28716296e40b94a71be459695928623201b57f06d64e8b2
                                                                                                              • Opcode Fuzzy Hash: 44503ded277d2f59ba6761883ae90ba1cfd11ae04a43e61f397150fbee1068f4
                                                                                                              • Instruction Fuzzy Hash: DD017131A01B048FDB19DF35D10469A77B2AF85300F54856DD5469B3A0EB30D982EB50
                                                                                                              Function 0579B047 Relevance: .0, Instructions: 37COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 470ee6920c51afeab97ec8d716ca808527b1b18d6fe4f6af534dd1a12ca45270
                                                                                                              • Instruction ID: 59bca7f1fd153953d9177dc490aa9b8e1707d9ffea5921722e9db2959c2723cb
                                                                                                              • Opcode Fuzzy Hash: 470ee6920c51afeab97ec8d716ca808527b1b18d6fe4f6af534dd1a12ca45270
                                                                                                              • Instruction Fuzzy Hash: A50119302146548FCB198B2CD598E587BF5EF0A61570644E9E94ACB7B2CB72EC45CB50
                                                                                                              Function 0579ABE8 Relevance: .0, Instructions: 37COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8c5ab875cf3b90826ee713678d5e0c51693e234fd989aa84f6be21458d537aee
                                                                                                              • Instruction ID: 96f1c15042ecd5054a083e7c6d3493e16862c6f187578a4b9ac1dbaefc63a8e9
                                                                                                              • Opcode Fuzzy Hash: 8c5ab875cf3b90826ee713678d5e0c51693e234fd989aa84f6be21458d537aee
                                                                                                              • Instruction Fuzzy Hash: 50F0C2317047048BEF197A79A4084EFB776EFC1211F04466DDA4527250EF30A58197E5
                                                                                                              Function 015DD744 Relevance: .0, Instructions: 36COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1746420625.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_15dd000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4c7a7a7ee2f98e62b221a3b8909195e33be74331c301a8ffff186b08f55adfd0
                                                                                                              • Instruction ID: 7aedb94d55d67c400c8b311dda8bac4bc3eed0217f154c4a37faf9324651ff46
                                                                                                              • Opcode Fuzzy Hash: 4c7a7a7ee2f98e62b221a3b8909195e33be74331c301a8ffff186b08f55adfd0
                                                                                                              • Instruction Fuzzy Hash: 2FF062714053849AE7218E1AC8C8B66FFA8FB51734F18C45AED084F286C2799844CBB1
                                                                                                              Function 0579AC68 Relevance: .0, Instructions: 34COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1d1bf6b58380bfcc1f7041521d97891a55bba6f0796a9b3741d10e3df203ea86
                                                                                                              • Instruction ID: 0a604bf6e75a31402c47fd45aac3461a8a02363f1e2e0a8ca8288cffe6ab6183
                                                                                                              • Opcode Fuzzy Hash: 1d1bf6b58380bfcc1f7041521d97891a55bba6f0796a9b3741d10e3df203ea86
                                                                                                              • Instruction Fuzzy Hash: 93F0B4313006108FCB25AB29E84492AB7BBFFC9321759056EE40A8B360DF35AC46C794
                                                                                                              Function 0579FDB8 Relevance: .0, Instructions: 32COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 624df947baa5b62be80a30b179a6b0327c24d5b2a9dcbe422878218ef2074604
                                                                                                              • Instruction ID: 6f9463991fdcc3010d9959accec4898e593a90f503dacf692eac7dd1f2a415dd
                                                                                                              • Opcode Fuzzy Hash: 624df947baa5b62be80a30b179a6b0327c24d5b2a9dcbe422878218ef2074604
                                                                                                              • Instruction Fuzzy Hash: 88F0F636A046699FCF12DF29D8089DABFF4EB85210F0584A6D885D7241D7306A09CBA1
                                                                                                              Function 0579AC67 Relevance: .0, Instructions: 32COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: adfce1fde677ff21db6e86cf8f9a0453b76770e34faf3ddee29af463010e413a
                                                                                                              • Instruction ID: bfe2dd43175621fa2b10eb9f49be4177811dce538797492d53a2fe651f94988c
                                                                                                              • Opcode Fuzzy Hash: adfce1fde677ff21db6e86cf8f9a0453b76770e34faf3ddee29af463010e413a
                                                                                                              • Instruction Fuzzy Hash: 30F0B4313006108FCB25AB29E444929B3B7FFC8321719095EE40A8B760DB35AC46C790
                                                                                                              Function 0579B058 Relevance: .0, Instructions: 28COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7d67f5364090c073963e49dbd69ae18096b8d4994f76f30facebc8a0d5b4b77f
                                                                                                              • Instruction ID: 43f3105b00abb7983a686dae1a334e74f6b0e79b705adbe39802f112acfdfbaa
                                                                                                              • Opcode Fuzzy Hash: 7d67f5364090c073963e49dbd69ae18096b8d4994f76f30facebc8a0d5b4b77f
                                                                                                              • Instruction Fuzzy Hash: 52F0DF34240610CFC718DB2CE598D59BBE6FF49B1971185A9E10ACB372CB72EC40CB80
                                                                                                              Function 0579F2DE Relevance: .0, Instructions: 26COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b76efb86478ed585aa3c42f5ad032f6160e85d6d8c10c8dcfeb221de0f3c143d
                                                                                                              • Instruction ID: 30dc6911db46470e4527f7a7c49a355580e6fdf0d686f8bc37f4175223388bba
                                                                                                              • Opcode Fuzzy Hash: b76efb86478ed585aa3c42f5ad032f6160e85d6d8c10c8dcfeb221de0f3c143d
                                                                                                              • Instruction Fuzzy Hash: 27E0ED357001049FCB08CF5DD484DAEF7F5FB8C324B2140A9E519D7321E6319D05CA50
                                                                                                              Function 0579FDC8 Relevance: .0, Instructions: 25COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 09ee50bb065c664d8edb75d1c533df0a7b817d603a4094666165896a75fca222
                                                                                                              • Instruction ID: 966d7695c30d3e2c9016eba65d7efd235a7d8b333ff5d0de5b79c8b2fb576767
                                                                                                              • Opcode Fuzzy Hash: 09ee50bb065c664d8edb75d1c533df0a7b817d603a4094666165896a75fca222
                                                                                                              • Instruction Fuzzy Hash: A2E06535A101299FCB14DA6DE8085DEB7F4FB84311F004565D956D3344D7306A19CF90
                                                                                                              Function 0579FCB0 Relevance: .0, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9a0c414975f741c5ad68f201b234d109336f8e75fdcd3dda4b7a77eff68645a3
                                                                                                              • Instruction ID: bf3111283737ef50699cc34243e3f4a5028ce8c65eca76b5e98177377adddf00
                                                                                                              • Opcode Fuzzy Hash: 9a0c414975f741c5ad68f201b234d109336f8e75fdcd3dda4b7a77eff68645a3
                                                                                                              • Instruction Fuzzy Hash: 27E0C26A51A7845EDF0B9B389008790BFA1BB13295F6AD9DBC4804E053C76A140EAB62
                                                                                                              Function 0579FD93 Relevance: .0, Instructions: 11COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3014211d34d1189477bc5bd54b5c4c868c4c5aa400937c0883da00f435c30208
                                                                                                              • Instruction ID: 9809b546c016261c8de7eedd4731dd7c7ddbacd80f1d6dac6656dc520c5362c6
                                                                                                              • Opcode Fuzzy Hash: 3014211d34d1189477bc5bd54b5c4c868c4c5aa400937c0883da00f435c30208
                                                                                                              • Instruction Fuzzy Hash: 2DC08CB34083A086EB24DF24E486381AAE4CF90200F0DC8BD8C9587786E138C801D790

                                                                                                              Non-executed Functions

                                                                                                              Function 07BB26F8 Relevance: .3, Instructions: 312COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1768128457.0000000007BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7bb0000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a2538afab48dee65720bdffb6bf2e9f8ebb6ac5fbfd9ecc34201a8f9da473230
                                                                                                              • Instruction ID: 3caf2e50a31757283055331556fb82571db4880dada969fe43b5bd7ed218e607
                                                                                                              • Opcode Fuzzy Hash: a2538afab48dee65720bdffb6bf2e9f8ebb6ac5fbfd9ecc34201a8f9da473230
                                                                                                              • Instruction Fuzzy Hash: 8DE1EAB4E001198FDB24CFA9D5849AEBBF2FF89304F2481A9D814AB355DB74AD41CF61
                                                                                                              Function 07BB4D38 Relevance: .3, Instructions: 312COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1768128457.0000000007BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7bb0000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: de9785e6ac440441eade4a85538c83e92dbe4cc1213730d4e3c2a3e75f4cd4ae
                                                                                                              • Instruction ID: fbba86afe803c5ce6fc7882e7c79de7f83b68c64ed039e04a769b71019ad9a65
                                                                                                              • Opcode Fuzzy Hash: de9785e6ac440441eade4a85538c83e92dbe4cc1213730d4e3c2a3e75f4cd4ae
                                                                                                              • Instruction Fuzzy Hash: CDE1E9B4E001598FDB24CFA9D5809AEBBF2FF89304F248199D818A7356DB70AD41CF61
                                                                                                              Function 07BB43F0 Relevance: .3, Instructions: 312COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1768128457.0000000007BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7bb0000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2cbbc9900d267c6bc04efbdbe1ef17078486eab41b72240888dd6acb3101b0ed
                                                                                                              • Instruction ID: bf87905026a1cd1f17df28aa73fcacb7a635503f7f325947ae882b425e4d7844
                                                                                                              • Opcode Fuzzy Hash: 2cbbc9900d267c6bc04efbdbe1ef17078486eab41b72240888dd6acb3101b0ed
                                                                                                              • Instruction Fuzzy Hash: 73E1EAB4E001598FDB24CF99D5849AEBBF2FF89304F2481A9D815AB356DB70AD41CF60
                                                                                                              Function 07BB22C0 Relevance: .3, Instructions: 312COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1768128457.0000000007BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7bb0000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a447ff108b321dfa5ec4bfed6c5a264fa2786bdd193fc8523d7b150d8fa5f141
                                                                                                              • Instruction ID: a1e13aa8541b6aff58aceb9a744194162dd1749ccf83f6574dde8e88af661fb7
                                                                                                              • Opcode Fuzzy Hash: a447ff108b321dfa5ec4bfed6c5a264fa2786bdd193fc8523d7b150d8fa5f141
                                                                                                              • Instruction Fuzzy Hash: FAE1E8B4E001198FDB24DF99D5809AEBBF2FF89304F2481A9D815AB356DB70AD41CF61
                                                                                                              Function 07BB4900 Relevance: .3, Instructions: 312COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1768128457.0000000007BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7bb0000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 09541727e8625f840acfd390ba7998f853506d56cd18010b8b6911b2bdcd5e73
                                                                                                              • Instruction ID: fe20a4d73bba69fa867664bc6954f8045fc123beca48200d0e8aa23d2cdce36e
                                                                                                              • Opcode Fuzzy Hash: 09541727e8625f840acfd390ba7998f853506d56cd18010b8b6911b2bdcd5e73
                                                                                                              • Instruction Fuzzy Hash: 7DE1DBB4E001598FDB24CFA9D5809AEBBF2FF89304F248199E814A7356D771AD41CF61
                                                                                                              Function 0168D424 Relevance: .3, Instructions: 264COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1746774840.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1680000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7ab83b400220efa01e467e66e4477b27ae9b23b81b05c22fd83bfd95d0d05ccd
                                                                                                              • Instruction ID: 7c624b8b6d387772828a9457d7b2e8cd0088b065fa1420267663a53b5b5b13b6
                                                                                                              • Opcode Fuzzy Hash: 7ab83b400220efa01e467e66e4477b27ae9b23b81b05c22fd83bfd95d0d05ccd
                                                                                                              • Instruction Fuzzy Hash: 87A18032E002168FCF15EFB4CC8059EBBB2FF85301B1586AAE905AB265DB75D955CF40
                                                                                                              Function 07BB43E0 Relevance: .1, Instructions: 130COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1768128457.0000000007BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7bb0000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5a1f03bcec7e6f97e41a82ec40750717333e1a18cb7d5989b24f37f59cceca7c
                                                                                                              • Instruction ID: 333bba7c5a7eff13523d1e222e8b6387e8bc763ce4bf634b6923704eaa4d0110
                                                                                                              • Opcode Fuzzy Hash: 5a1f03bcec7e6f97e41a82ec40750717333e1a18cb7d5989b24f37f59cceca7c
                                                                                                              • Instruction Fuzzy Hash: CD5119B4E006198FDB14CFA9D5855AEFBF2FF89304F2481A9D818A7216DB309941CFA1
                                                                                                              Function 05791418 Relevance: 41.7, Strings: 33, Instructions: 441COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                                                                                                              • API String ID: 0-2697097662
                                                                                                              • Opcode ID: f3899aa6f9c5855c92096b06eff87caacdae33f0e946c5b6d6283acd8e9c0d6a
                                                                                                              • Instruction ID: be82fdba9e89235927d022a6790ab353ef69a74b7ce865c8eb622bd4533dc7ef
                                                                                                              • Opcode Fuzzy Hash: f3899aa6f9c5855c92096b06eff87caacdae33f0e946c5b6d6283acd8e9c0d6a
                                                                                                              • Instruction Fuzzy Hash: 4C12F470E0121A8FCB58EF79E89469DB7B2FF90304F5045A9D049AB268EF306D4ACF51
                                                                                                              Function 05791428 Relevance: 41.7, Strings: 33, Instructions: 434COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1755432033.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5790000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                                                                                                              • API String ID: 0-2697097662
                                                                                                              • Opcode ID: 0694811388147e9b2a5ad113ed2d037e71e589becea0fbce9a786a498e88bced
                                                                                                              • Instruction ID: 49fa8bdc69b095a4c29098e94a1d96647664822c018f1ade9d29c61c209e296d
                                                                                                              • Opcode Fuzzy Hash: 0694811388147e9b2a5ad113ed2d037e71e589becea0fbce9a786a498e88bced
                                                                                                              • Instruction Fuzzy Hash: F812F370E0121A8FCB58EF79E89469DB7B2FF90704F504569D049AB268EF306D4ACF91

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:12.5%
                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                              Signature Coverage:0%
                                                                                                              Total number of Nodes:26
                                                                                                              Total number of Limit Nodes:5
                                                                                                              execution_graph 26077 1070848 26079 107084e 26077->26079 26078 107091b 26079->26078 26082 1071380 26079->26082 26087 1071488 26079->26087 26083 1071396 26082->26083 26084 1071480 26083->26084 26086 1071488 2 API calls 26083->26086 26093 1077eb0 26083->26093 26084->26079 26086->26083 26088 1071493 26087->26088 26089 1071396 26087->26089 26088->26079 26090 1071480 26089->26090 26091 1071488 2 API calls 26089->26091 26092 1077eb0 2 API calls 26089->26092 26090->26079 26091->26089 26092->26089 26094 1077eba 26093->26094 26095 1077ed4 26094->26095 26098 669fa18 26094->26098 26103 669fa0a 26094->26103 26095->26083 26100 669fa2d 26098->26100 26099 669fc42 26099->26095 26100->26099 26101 669fc58 GlobalMemoryStatusEx GlobalMemoryStatusEx 26100->26101 26102 669fc68 GlobalMemoryStatusEx GlobalMemoryStatusEx 26100->26102 26101->26100 26102->26100 26105 669fa2d 26103->26105 26104 669fc42 26104->26095 26105->26104 26106 669fc68 GlobalMemoryStatusEx GlobalMemoryStatusEx 26105->26106 26107 669fc58 GlobalMemoryStatusEx GlobalMemoryStatusEx 26105->26107 26106->26105 26107->26105

                                                                                                              Executed Functions

                                                                                                              Function 06692358 Relevance: 9.0, Strings: 6, Instructions: 1487COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                                                                                              • API String ID: 0-2392861976
                                                                                                              • Opcode ID: c72cea350e546619dfcf14881e5d3b0157c893b48920f8b4316bb11f2c993e12
                                                                                                              • Instruction ID: 02d5a1ec0752f76d0ef430fe088ab6ad92bb7033526d570f084399019129a6b2
                                                                                                              • Opcode Fuzzy Hash: c72cea350e546619dfcf14881e5d3b0157c893b48920f8b4316bb11f2c993e12
                                                                                                              • Instruction Fuzzy Hash: 7CD27B34E10209DFCB64DF68C594A9DB7B6FF85314F1485A9D809AB364EB30ED86CB90
                                                                                                              Function 06697D68 Relevance: 3.0, Strings: 2, Instructions: 471COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1640 6697d68-6697d86 1641 6697d88-6697d8b 1640->1641 1642 6697d8d-6697d9b 1641->1642 1643 6697da2-6697da5 1641->1643 1652 6697d9d 1642->1652 1653 6697e0e-6697e24 1642->1653 1644 6697da7-6697dc1 1643->1644 1645 6697dc6-6697dc9 1643->1645 1644->1645 1646 6697dcb-6697dd5 1645->1646 1647 6697dd6-6697dd9 1645->1647 1650 6697ddb-6697df7 1647->1650 1651 6697dfc-6697dfe 1647->1651 1650->1651 1654 6697e00 1651->1654 1655 6697e05-6697e08 1651->1655 1652->1643 1659 6697e2a-6697e33 1653->1659 1660 669803f-6698049 1653->1660 1654->1655 1655->1641 1655->1653 1661 6697e39-6697e56 1659->1661 1662 669804a-669807f 1659->1662 1672 669802c-6698039 1661->1672 1673 6697e5c-6697e84 1661->1673 1666 6698081-6698084 1662->1666 1668 66980a7-66980aa 1666->1668 1669 6698086-66980a2 1666->1669 1670 66982df-66982e2 1668->1670 1671 66980b0-66980bf 1668->1671 1669->1668 1674 66982e8-66982f4 1670->1674 1675 669838d-669838f 1670->1675 1681 66980de-6698122 1671->1681 1682 66980c1-66980dc 1671->1682 1672->1659 1672->1660 1673->1672 1695 6697e8a-6697e93 1673->1695 1684 66982ff-6698301 1674->1684 1678 6698391 1675->1678 1679 6698396-6698399 1675->1679 1678->1679 1679->1666 1683 669839f-66983a8 1679->1683 1697 6698128-6698139 1681->1697 1698 66982b3-66982c9 1681->1698 1682->1681 1686 6698319-669831d 1684->1686 1687 6698303-6698309 1684->1687 1691 669832b 1686->1691 1692 669831f-6698329 1686->1692 1689 669830b 1687->1689 1690 669830d-669830f 1687->1690 1689->1686 1690->1686 1696 6698330-6698332 1691->1696 1692->1696 1695->1662 1699 6697e99-6697eb5 1695->1699 1701 6698343-669837c 1696->1701 1702 6698334-6698337 1696->1702 1710 669813f-669815c 1697->1710 1711 669829e-66982ad 1697->1711 1698->1670 1706 6697ebb-6697ee5 1699->1706 1707 669801a-6698026 1699->1707 1701->1671 1722 6698382-669838c 1701->1722 1702->1683 1724 6697eeb-6697f13 1706->1724 1725 6698010-6698015 1706->1725 1707->1672 1707->1695 1710->1711 1719 6698162-6698258 call 6696590 1710->1719 1711->1697 1711->1698 1773 669825a-6698264 1719->1773 1774 6698266 1719->1774 1724->1725 1731 6697f19-6697f47 1724->1731 1725->1707 1731->1725 1737 6697f4d-6697f56 1731->1737 1737->1725 1738 6697f5c-6697f8e 1737->1738 1746 6697f99-6697fb5 1738->1746 1747 6697f90-6697f94 1738->1747 1746->1707 1749 6697fb7-669800e call 6696590 1746->1749 1747->1725 1748 6697f96 1747->1748 1748->1746 1749->1707 1775 669826b-669826d 1773->1775 1774->1775 1775->1711 1776 669826f-6698274 1775->1776 1777 6698282 1776->1777 1778 6698276-6698280 1776->1778 1779 6698287-6698289 1777->1779 1778->1779 1779->1711 1780 669828b-6698297 1779->1780 1780->1711
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $^q$$^q
                                                                                                              • API String ID: 0-355816377
                                                                                                              • Opcode ID: 3118586323b26e19e3e918e9da0cc0d603f3c64fcaaa3210bae4e4291504f7dd
                                                                                                              • Instruction ID: 19a6295dc8cded14ad491e794fd6cc260ba380011ba70c993aec54ead0e4f51c
                                                                                                              • Opcode Fuzzy Hash: 3118586323b26e19e3e918e9da0cc0d603f3c64fcaaa3210bae4e4291504f7dd
                                                                                                              • Instruction Fuzzy Hash: 3902AD30B102098FDF54DF68D590A6EB7E6FF85314F148929D80ADB394DB35EC868BA1
                                                                                                              Function 066965E0 Relevance: .8, Instructions: 807COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0759381955af63a4121e0f5fe7b6c1ab0d0ca9a19fdb97eaa1e3d1b6e2584156
                                                                                                              • Instruction ID: 7cd1bf598746804cc1526b143703a757db4a0cda65b086ba4220d60508d9fd78
                                                                                                              • Opcode Fuzzy Hash: 0759381955af63a4121e0f5fe7b6c1ab0d0ca9a19fdb97eaa1e3d1b6e2584156
                                                                                                              • Instruction Fuzzy Hash: 2D62AF34B102049FEF54DB68D594AAEB7F6EF84314F148469E80ADB394DB35EC46CBA0
                                                                                                              Function 06695588 Relevance: .6, Instructions: 597COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 08fbad539183b5af5bb3594720c9dce88914fe733dd6f79aedd5dea123fe3d3c
                                                                                                              • Instruction ID: 097678002b4c341fe4e14cbde0f577e925081a451f93a82de20eb9390a899bc0
                                                                                                              • Opcode Fuzzy Hash: 08fbad539183b5af5bb3594720c9dce88914fe733dd6f79aedd5dea123fe3d3c
                                                                                                              • Instruction Fuzzy Hash: B922E131F002189FDF65DB68C5907AEBBB6EF85310F248469D85AAB344DB31DD42CBA1
                                                                                                              Function 0669B20F Relevance: .6, Instructions: 568COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1864c81a89962712a1d3b82302bce15ff6a199bbf1d6b163c3fab60a4e4f2d7e
                                                                                                              • Instruction ID: 33d073fb1e5fd8b5d00f76145bb795308146570d60376f4aee08eaa5d7af937d
                                                                                                              • Opcode Fuzzy Hash: 1864c81a89962712a1d3b82302bce15ff6a199bbf1d6b163c3fab60a4e4f2d7e
                                                                                                              • Instruction Fuzzy Hash: 30229430E101099FDF64DB68E5847AFB7EAEB85710F148826E809EB395CA35DC81CB61
                                                                                                              Function 0669ACB8 Relevance: 10.4, Strings: 8, Instructions: 391COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 0 669acb8-669acd6 1 669acd8-669acdb 0->1 2 669acdd-669ace2 1->2 3 669ace5-669ace8 1->3 2->3 4 669ad0b-669ad0e 3->4 5 669acea-669ad06 3->5 6 669ad1f-669ad22 4->6 7 669ad10-669ad14 4->7 5->4 10 669ad3c-669ad3f 6->10 11 669ad24-669ad37 6->11 8 669ad1a 7->8 9 669aee4-669aeee 7->9 8->6 13 669ad4f-669ad52 10->13 14 669ad41-669ad4a 10->14 11->10 17 669ad58-669ad5b 13->17 18 669aed5-669aede 13->18 14->13 19 669ad5d-669ad66 17->19 20 669ad75-669ad78 17->20 18->9 18->19 21 669ad6c-669ad70 19->21 22 669aeef-669af01 19->22 23 669ad7a-669ad87 20->23 24 669ad8c-669ad8e 20->24 21->20 30 669af03-669af26 22->30 31 669af65-669af6c 22->31 23->24 25 669ad90 24->25 26 669ad95-669ad98 24->26 25->26 26->1 29 669ad9e-669adc2 26->29 45 669adc8-669add7 29->45 46 669aed2 29->46 32 669af28-669af2b 30->32 38 669b15f-669b172 31->38 39 669af72-669af7e 31->39 34 669af31-669af60 32->34 35 669b194-669b197 32->35 34->31 40 669b199 call 669b20f 35->40 41 669b1a6-669b1a9 35->41 42 669b174 38->42 55 669af9e-669afe2 39->55 56 669af80-669af99 39->56 47 669b19f-669b1a1 40->47 43 669b1ab-669b1af 41->43 44 669b1ba-669b1bd 41->44 52 669b175 42->52 43->34 48 669b1b5 43->48 49 669b1ca-669b1cd 44->49 50 669b1bf-669b1c9 44->50 60 669add9-669addf 45->60 61 669adef-669ae2a call 6696590 45->61 46->18 47->41 48->44 53 669b1cf-669b1eb 49->53 54 669b1f0-669b1f2 49->54 52->52 53->54 58 669b1f9-669b1fc 54->58 59 669b1f4 54->59 78 669affe-669b03d 55->78 79 669afe4-669aff6 55->79 56->42 58->32 66 669b202-669b20c 58->66 59->58 64 669ade1 60->64 65 669ade3-669ade5 60->65 80 669ae2c-669ae32 61->80 81 669ae42-669ae59 61->81 64->61 65->61 86 669b043-669b11e call 6696590 78->86 87 669b124-669b139 78->87 79->78 83 669ae34 80->83 84 669ae36-669ae38 80->84 93 669ae5b-669ae61 81->93 94 669ae71-669ae82 81->94 83->81 84->81 86->87 87->38 96 669ae63 93->96 97 669ae65-669ae67 93->97 100 669ae9a-669aecb 94->100 101 669ae84-669ae8a 94->101 96->94 97->94 100->46 103 669ae8c 101->103 104 669ae8e-669ae90 101->104 103->100 104->100
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                              • API String ID: 0-3823777903
                                                                                                              • Opcode ID: ca207ef94e524d4684b0b16c5f6ad4180189c0396897529bcd7126675e51139b
                                                                                                              • Instruction ID: 94632ea699b54e6ad915e76bcb2e0a352a427405063ad402854c5a14499218ed
                                                                                                              • Opcode Fuzzy Hash: ca207ef94e524d4684b0b16c5f6ad4180189c0396897529bcd7126675e51139b
                                                                                                              • Instruction Fuzzy Hash: 69E14D30E1020A8FDF69DFA8D4846AEB7F6EF85304F208529D805EB354DB75D846CBA1
                                                                                                              Function 0669B630 Relevance: 8.0, Strings: 6, Instructions: 472COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 573 669b630-669b650 574 669b652-669b655 573->574 575 669b66f-669b672 574->575 576 669b657-669b65e 574->576 579 669b682-669b685 575->579 580 669b674-669b67d 575->580 577 669b9d3-669ba0e 576->577 578 669b664-669b66a 576->578 588 669ba10-669ba13 577->588 578->575 581 669b68c-669b68f 579->581 582 669b687-669b689 579->582 580->579 583 669b69c-669b69f 581->583 584 669b691-669b697 581->584 582->581 586 669b770-669b771 583->586 587 669b6a5-669b6a8 583->587 584->583 589 669b776-669b779 586->589 590 669b6aa-669b6b3 587->590 591 669b6c5-669b6c8 587->591 592 669ba19-669ba41 588->592 593 669bc7f-669bc82 588->593 594 669b77b-669b7c9 call 6696590 589->594 595 669b7ce-669b7d1 589->595 590->577 596 669b6b9-669b6c0 590->596 599 669b6d8-669b6db 591->599 600 669b6ca-669b6d3 591->600 639 669ba4b-669ba8f 592->639 640 669ba43-669ba46 592->640 597 669bca5-669bca7 593->597 598 669bc84-669bca0 593->598 594->595 603 669b810-669b813 595->603 604 669b7d3-669b7e8 595->604 596->591 601 669bca9 597->601 602 669bcae-669bcb1 597->602 598->597 606 669b6eb-669b6ee 599->606 607 669b6dd-669b6e6 599->607 600->599 601->602 602->588 610 669bcb7-669bcc0 602->610 612 669b852-669b855 603->612 613 669b815-669b82a 603->613 604->577 627 669b7ee-669b80b 604->627 608 669b708-669b70b 606->608 609 669b6f0-669b6f6 606->609 607->606 619 669b71a-669b71d 608->619 620 669b70d-669b713 608->620 609->577 616 669b6fc-669b703 609->616 617 669b87f-669b882 612->617 618 669b857-669b85e 612->618 613->577 638 669b830-669b84d 613->638 616->608 628 669b8a5-669b8a8 617->628 629 669b884-669b8a0 617->629 618->577 623 669b864-669b874 618->623 625 669b72f-669b732 619->625 626 669b71f-669b72a 619->626 620->609 624 669b715 620->624 657 669b87a 623->657 658 669b947-669b94e 623->658 624->619 634 669b749-669b74c 625->634 635 669b734-669b73b 625->635 626->625 627->603 636 669b8ca-669b8cd 628->636 637 669b8aa-669b8c5 628->637 629->628 649 669b74e-669b753 634->649 650 669b756-669b759 634->650 635->577 648 669b741-669b744 635->648 641 669b8cf-669b8d2 636->641 642 669b8d7-669b8da 636->642 637->636 638->612 686 669ba95-669ba9e 639->686 687 669bc74-669bc7e 639->687 640->610 641->642 652 669b8dc-669b8df 642->652 653 669b92e-669b937 642->653 648->634 649->650 654 669b75b-669b761 650->654 655 669b766-669b769 650->655 663 669b8e1-669b8e5 652->663 664 669b8f0-669b8f3 652->664 653->590 659 669b93d 653->659 654->655 655->620 660 669b76b-669b76e 655->660 657->617 658->577 661 669b954-669b964 658->661 671 669b942-669b945 659->671 660->586 660->589 661->586 679 669b96a 661->679 663->607 668 669b8eb 663->668 669 669b903-669b906 664->669 670 669b8f5-669b8fe 664->670 668->664 669->586 675 669b90c-669b90f 669->675 670->669 671->658 672 669b96f-669b972 671->672 680 669b984-669b987 672->680 681 669b974 672->681 677 669b929-669b92c 675->677 678 669b911-669b918 675->678 677->653 677->671 678->577 685 669b91e-669b924 678->685 679->672 680->586 684 669b98d-669b990 680->684 688 669b97c-669b97f 681->688 689 669b992-669b999 684->689 690 669b9b6-669b9b8 684->690 685->677 695 669bc6a-669bc6f 686->695 696 669baa4-669bb10 call 6696590 686->696 688->680 689->577 691 669b99b-669b9ab 689->691 693 669b9ba 690->693 694 669b9bf-669b9c2 690->694 691->618 701 669b9b1 691->701 693->694 694->574 697 669b9c8-669b9d2 694->697 695->687 707 669bc0a-669bc1f 696->707 708 669bb16-669bb1b 696->708 701->690 707->695 710 669bb1d-669bb23 708->710 711 669bb37 708->711 712 669bb29-669bb2b 710->712 713 669bb25-669bb27 710->713 714 669bb39-669bb3f 711->714 715 669bb35 712->715 713->715 716 669bb41-669bb47 714->716 717 669bb54-669bb61 714->717 715->714 718 669bb4d 716->718 719 669bbf5-669bc04 716->719 724 669bb79-669bb86 717->724 725 669bb63-669bb69 717->725 718->717 720 669bb88-669bb95 718->720 721 669bbbc-669bbc9 718->721 719->707 719->708 733 669bbad-669bbba 720->733 734 669bb97-669bb9d 720->734 730 669bbcb-669bbd1 721->730 731 669bbe1-669bbee 721->731 724->719 726 669bb6b 725->726 727 669bb6d-669bb6f 725->727 726->724 727->724 735 669bbd3 730->735 736 669bbd5-669bbd7 730->736 731->719 733->719 737 669bb9f 734->737 738 669bba1-669bba3 734->738 735->731 736->731 737->733 738->733
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                                                                                              • API String ID: 0-2392861976
                                                                                                              • Opcode ID: 79f0e2e821afdb388f794c1b4fb049bee07e849729af08f7028483a4a8bbdebd
                                                                                                              • Instruction ID: ca05916162f5023d433b11a9be1d85b76011df33a94acac49f11f5cbd37e186b
                                                                                                              • Opcode Fuzzy Hash: 79f0e2e821afdb388f794c1b4fb049bee07e849729af08f7028483a4a8bbdebd
                                                                                                              • Instruction Fuzzy Hash: 0C027F30E102098FDF64DF68E5846AEB7B5EB85310F14856AE809DB395DB70EC46CBA1
                                                                                                              Function 06699138 Relevance: 5.2, Strings: 4, Instructions: 230COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 741 6699138-669915d 742 669915f-6699162 741->742 743 6699168-669917d 742->743 744 6699a20-6699a23 742->744 751 669917f-6699185 743->751 752 6699195-66991ab 743->752 745 6699a49-6699a4b 744->745 746 6699a25-6699a44 744->746 747 6699a4d 745->747 748 6699a52-6699a55 745->748 746->745 747->748 748->742 753 6699a5b-6699a65 748->753 754 6699189-669918b 751->754 755 6699187 751->755 758 66991b6-66991b8 752->758 754->752 755->752 759 66991ba-66991c0 758->759 760 66991d0-6699241 758->760 761 66991c2 759->761 762 66991c4-66991c6 759->762 771 669926d-6699289 760->771 772 6699243-6699266 760->772 761->760 762->760 777 669928b-66992ae 771->777 778 66992b5-66992d0 771->778 772->771 777->778 783 66992fb-6699316 778->783 784 66992d2-66992f4 778->784 789 6699318-6699334 783->789 790 669933b-6699349 783->790 784->783 789->790 791 6699359-66993d3 790->791 792 669934b-6699354 790->792 798 6699420-6699435 791->798 799 66993d5-66993f3 791->799 792->753 798->744 803 669940f-669941e 799->803 804 66993f5-6699404 799->804 803->798 803->799 804->803
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $^q$$^q$$^q$$^q
                                                                                                              • API String ID: 0-2125118731
                                                                                                              • Opcode ID: ff31dad1748d173eec82ae3efe7ac2539b03aaa6469d8923ee63d9e554570022
                                                                                                              • Instruction ID: 6387df3f38ff64483ed2cb9eb100ea166a03e664e4d881020a4fc7bc74aa2ae5
                                                                                                              • Opcode Fuzzy Hash: ff31dad1748d173eec82ae3efe7ac2539b03aaa6469d8923ee63d9e554570022
                                                                                                              • Instruction Fuzzy Hash: C1915130B1020A9FDF54DF65D9507AEB3F6FB89344F148569C80DEB388EA709D468BA1
                                                                                                              Function 0669CF28 Relevance: 4.5, Strings: 3, Instructions: 798COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 807 669cf28-669cf43 808 669cf45-669cf48 807->808 809 669cf4a-669cf8c 808->809 810 669cf91-669cf94 808->810 809->810 811 669cf9a-669cf9d 810->811 812 669d414-669d420 810->812 813 669cf9f-669cfae 811->813 814 669cfe6-669cfe9 811->814 816 669d122-669d131 812->816 817 669d426-669d713 812->817 818 669cfbd-669cfc9 813->818 819 669cfb0-669cfb5 813->819 820 669cfeb-669d02d 814->820 821 669d032-669d035 814->821 822 669d140-669d14c 816->822 823 669d133-669d138 816->823 1020 669d719-669d71f 817->1020 1021 669d93a-669d944 817->1021 825 669cfcf-669cfe1 818->825 826 669d945-669d97e 818->826 819->818 820->821 827 669d07e-669d081 821->827 828 669d037-669d079 821->828 822->826 830 669d152-669d164 822->830 823->822 825->814 847 669d980-669d983 826->847 831 669d083-669d09f 827->831 832 669d0a4-669d0a7 827->832 828->827 842 669d169-669d16c 830->842 831->832 836 669d0a9-669d0eb 832->836 837 669d0f0-669d0f3 832->837 836->837 844 669d0fd-669d100 837->844 845 669d0f5-669d0fa 837->845 850 669d17b-669d17e 842->850 851 669d16e-669d170 842->851 852 669d11d-669d120 844->852 853 669d102-669d118 844->853 845->844 848 669d985-669d9a1 847->848 849 669d9a6-669d9a9 847->849 848->849 863 669d9b8-669d9bb 849->863 864 669d9ab 849->864 861 669d180-669d1c2 850->861 862 669d1c7-669d1ca 850->862 858 669d411 851->858 859 669d176 851->859 852->816 852->842 853->852 858->812 859->850 861->862 866 669d1cc-669d20e 862->866 867 669d213-669d216 862->867 871 669d9bd-669d9e9 863->871 872 669d9ee-669d9f0 863->872 1067 669d9ab call 669da9d 864->1067 1068 669d9ab call 669dab0 864->1068 866->867 880 669d218-669d21a 867->880 881 669d225-669d228 867->881 871->872 878 669d9f2 872->878 879 669d9f7-669d9fa 872->879 877 669d9b1-669d9b3 877->863 878->879 879->847 888 669d9fc-669da0b 879->888 889 669d2cf-669d2d8 880->889 890 669d220 880->890 891 669d22a-669d26c 881->891 892 669d271-669d274 881->892 910 669da0d-669da70 call 6696590 888->910 911 669da72-669da87 888->911 895 669d2da-669d2df 889->895 896 669d2e7-669d2f3 889->896 890->881 891->892 898 669d2bd-669d2bf 892->898 899 669d276-669d2b8 892->899 895->896 904 669d2f9-669d30d 896->904 905 669d404-669d409 896->905 901 669d2c1 898->901 902 669d2c6-669d2c9 898->902 899->898 901->902 902->808 902->889 904->858 922 669d313-669d325 904->922 905->858 910->911 925 669da88 911->925 936 669d349-669d34b 922->936 937 669d327-669d32d 922->937 925->925 946 669d355-669d361 936->946 940 669d32f 937->940 941 669d331-669d33d 937->941 944 669d33f-669d347 940->944 941->944 944->946 953 669d36f 946->953 954 669d363-669d36d 946->954 956 669d374-669d376 953->956 954->956 956->858 958 669d37c-669d398 call 6696590 956->958 967 669d39a-669d39f 958->967 968 669d3a7-669d3b3 958->968 967->968 968->905 970 669d3b5-669d402 968->970 970->858 1022 669d72e-669d737 1020->1022 1023 669d721-669d726 1020->1023 1022->826 1024 669d73d-669d750 1022->1024 1023->1022 1026 669d92a-669d934 1024->1026 1027 669d756-669d75c 1024->1027 1026->1020 1026->1021 1028 669d76b-669d774 1027->1028 1029 669d75e-669d763 1027->1029 1028->826 1030 669d77a-669d79b 1028->1030 1029->1028 1033 669d7aa-669d7b3 1030->1033 1034 669d79d-669d7a2 1030->1034 1033->826 1035 669d7b9-669d7d6 1033->1035 1034->1033 1035->1026 1038 669d7dc-669d7e2 1035->1038 1038->826 1039 669d7e8-669d801 1038->1039 1041 669d91d-669d924 1039->1041 1042 669d807-669d82e 1039->1042 1041->1026 1041->1038 1042->826 1045 669d834-669d83e 1042->1045 1045->826 1046 669d844-669d85b 1045->1046 1048 669d86a-669d885 1046->1048 1049 669d85d-669d868 1046->1049 1048->1041 1054 669d88b-669d8a4 call 6696590 1048->1054 1049->1048 1058 669d8b3-669d8bc 1054->1058 1059 669d8a6-669d8ab 1054->1059 1058->826 1060 669d8c2-669d916 1058->1060 1059->1058 1060->1041 1067->877 1068->877
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $^q$$^q$$^q
                                                                                                              • API String ID: 0-831282457
                                                                                                              • Opcode ID: 35ee93ba5882fc8a3af0a83fe8b0a415018409663d6961fbdb63868dea1984d9
                                                                                                              • Instruction ID: be2075d6fc1ce4a2e10ba6cc5eb43319dbb88a5f5a8241e8ce7fa10119ec3372
                                                                                                              • Opcode Fuzzy Hash: 35ee93ba5882fc8a3af0a83fe8b0a415018409663d6961fbdb63868dea1984d9
                                                                                                              • Instruction Fuzzy Hash: A4624E30A006069FCB55EF68D590A5EB7B2FF84304F248939D4099F369DB71ED8ACB91
                                                                                                              Function 06694B50 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1069 6694b50-6694b74 1070 6694b76-6694b79 1069->1070 1071 6695258-669525b 1070->1071 1072 6694b7f-6694c77 1070->1072 1073 669525d-6695277 1071->1073 1074 669527c-669527e 1071->1074 1092 6694cfa-6694d01 1072->1092 1093 6694c7d-6694cc5 1072->1093 1073->1074 1075 6695280 1074->1075 1076 6695285-6695288 1074->1076 1075->1076 1076->1070 1079 669528e-669529b 1076->1079 1094 6694d85-6694d8e 1092->1094 1095 6694d07-6694d77 1092->1095 1115 6694cca call 6695408 1093->1115 1116 6694cca call 66953f8 1093->1116 1094->1079 1112 6694d79 1095->1112 1113 6694d82 1095->1113 1106 6694cd0-6694cec 1109 6694cee 1106->1109 1110 6694cf7-6694cf8 1106->1110 1109->1110 1110->1092 1112->1113 1113->1094 1115->1106 1116->1106
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: fcq$XPcq$\Ocq
                                                                                                              • API String ID: 0-3575482020
                                                                                                              • Opcode ID: 02ff978bd1f42900db3a42061b7d5889cba4f9ea249c2937cb39b44db1903ab3
                                                                                                              • Instruction ID: 7c045c0c3b326451de10f13e5dd77659d3f475633ace2ecfda403ca4b830dacb
                                                                                                              • Opcode Fuzzy Hash: 02ff978bd1f42900db3a42061b7d5889cba4f9ea249c2937cb39b44db1903ab3
                                                                                                              • Instruction Fuzzy Hash: 80617330F002089FDF549FA8C4547AEBAF6EF88700F208429D506EB395DF754D468BA5
                                                                                                              Function 06699127 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 2111 6699127-669915d 2113 669915f-6699162 2111->2113 2114 6699168-669917d 2113->2114 2115 6699a20-6699a23 2113->2115 2122 669917f-6699185 2114->2122 2123 6699195-66991ab 2114->2123 2116 6699a49-6699a4b 2115->2116 2117 6699a25-6699a44 2115->2117 2118 6699a4d 2116->2118 2119 6699a52-6699a55 2116->2119 2117->2116 2118->2119 2119->2113 2124 6699a5b-6699a65 2119->2124 2125 6699189-669918b 2122->2125 2126 6699187 2122->2126 2129 66991b6-66991b8 2123->2129 2125->2123 2126->2123 2130 66991ba-66991c0 2129->2130 2131 66991d0-6699241 2129->2131 2132 66991c2 2130->2132 2133 66991c4-66991c6 2130->2133 2142 669926d-6699289 2131->2142 2143 6699243-6699266 2131->2143 2132->2131 2133->2131 2148 669928b-66992ae 2142->2148 2149 66992b5-66992d0 2142->2149 2143->2142 2148->2149 2154 66992fb-6699316 2149->2154 2155 66992d2-66992f4 2149->2155 2160 6699318-6699334 2154->2160 2161 669933b-6699349 2154->2161 2155->2154 2160->2161 2162 6699359-66993d3 2161->2162 2163 669934b-6699354 2161->2163 2169 6699420-6699435 2162->2169 2170 66993d5-66993f3 2162->2170 2163->2124 2169->2115 2174 669940f-669941e 2170->2174 2175 66993f5-6699404 2170->2175 2174->2169 2174->2170 2175->2174
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $^q$$^q
                                                                                                              • API String ID: 0-355816377
                                                                                                              • Opcode ID: d883da8fb3f331983044d1c11c04689d0bf5691b6627a50a406ec79094d52a89
                                                                                                              • Instruction ID: 59caef9d28ea7853113160f1fc09bc8761104a5880feabd47a6036814cbd9f98
                                                                                                              • Opcode Fuzzy Hash: d883da8fb3f331983044d1c11c04689d0bf5691b6627a50a406ec79094d52a89
                                                                                                              • Instruction Fuzzy Hash: 95513F30B101099FDB54DB65D990B6E73FAEB89744F148569C809EB388EA309C43CBA6
                                                                                                              Function 0107EC07 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 2178 107ec07-107ec94 GlobalMemoryStatusEx 2181 107ec96-107ec9c 2178->2181 2182 107ec9d-107ecc5 2178->2182 2181->2182
                                                                                                              APIs
                                                                                                              • GlobalMemoryStatusEx.KERNELBASE ref: 0107EC87
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2966564210.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1070000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: GlobalMemoryStatus
                                                                                                              • String ID:
                                                                                                              • API String ID: 1890195054-0
                                                                                                              • Opcode ID: 2fe6bda9926c0fa2dc3c592e5880246148fd3311404932f6040761c8fcbe69fd
                                                                                                              • Instruction ID: 2f8fbc05d6109f9174351a1a4cd70e5d76ee384f4565b561bc5cbaf39fa27c71
                                                                                                              • Opcode Fuzzy Hash: 2fe6bda9926c0fa2dc3c592e5880246148fd3311404932f6040761c8fcbe69fd
                                                                                                              • Instruction Fuzzy Hash: 181142B2C006599FCB10CFAAC5447DEBBB4AF08320F20816AD518B7251D338A945CFA4
                                                                                                              Function 0107EC20 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 2185 107ec20-107ec94 GlobalMemoryStatusEx 2187 107ec96-107ec9c 2185->2187 2188 107ec9d-107ecc5 2185->2188 2187->2188
                                                                                                              APIs
                                                                                                              • GlobalMemoryStatusEx.KERNELBASE ref: 0107EC87
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2966564210.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1070000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: GlobalMemoryStatus
                                                                                                              • String ID:
                                                                                                              • API String ID: 1890195054-0
                                                                                                              • Opcode ID: 2dd54e53cc045db8e1f3b24613cb8453a7cf380c169e836933d207d2a0a7b98d
                                                                                                              • Instruction ID: ea380493593971d28e98a7961d37ddff7591f438bfee0d0b6ca4a650fec0cdd4
                                                                                                              • Opcode Fuzzy Hash: 2dd54e53cc045db8e1f3b24613cb8453a7cf380c169e836933d207d2a0a7b98d
                                                                                                              • Instruction Fuzzy Hash: 5411EFB1C006699BCB10DF9AC544BDEFBF4EB48320F14816AD858A7251D378A945CFE5
                                                                                                              Function 06694B40 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: XPcq
                                                                                                              • API String ID: 0-714321711
                                                                                                              • Opcode ID: 4a63b7f263b733ced207312abf6e93628aa9532b95281a6d0d65df341ece236f
                                                                                                              • Instruction ID: 1816a9fdc43d1313131672fba24e807e4a49a8777c72ffaae6b42421c41db4d7
                                                                                                              • Opcode Fuzzy Hash: 4a63b7f263b733ced207312abf6e93628aa9532b95281a6d0d65df341ece236f
                                                                                                              • Instruction Fuzzy Hash: EC416231B002089FDB459FA9C454BAEBBF6EF88700F208529E505EB395DF758C06CBA5
                                                                                                              Function 0669DAB0 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: PH^q
                                                                                                              • API String ID: 0-2549759414
                                                                                                              • Opcode ID: 65331c335fe02f72c446d120af0390a8d19994165d7f14080825b8d026711ca5
                                                                                                              • Instruction ID: a73cc371de5be02a7e4af5eadd03248cb8e9d1650ff7bbf39aaa686733a21315
                                                                                                              • Opcode Fuzzy Hash: 65331c335fe02f72c446d120af0390a8d19994165d7f14080825b8d026711ca5
                                                                                                              • Instruction Fuzzy Hash: 1A418C70E007099FDF559FA5C8946AEBBB6AF85300F204429D805EB344EB719946CBA1
                                                                                                              Function 0669DA9D Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: PH^q
                                                                                                              • API String ID: 0-2549759414
                                                                                                              • Opcode ID: f31fccc1cb869fda4b16a022a1237f8e9c871bd4ddc6d577b6a84aaed9f66f81
                                                                                                              • Instruction ID: c459f66dab8f3e328d058d8cf70a9341e6c600c6de06e34a0668390716001885
                                                                                                              • Opcode Fuzzy Hash: f31fccc1cb869fda4b16a022a1237f8e9c871bd4ddc6d577b6a84aaed9f66f81
                                                                                                              • Instruction Fuzzy Hash: 06419D70E007059FDF11DFA5C8906AEBBB6BF86300F14452AE805DB344EB74D946CBA1
                                                                                                              Function 066921BD Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: PH^q
                                                                                                              • API String ID: 0-2549759414
                                                                                                              • Opcode ID: 8ec908df83e45e540904b6c9a18172f1058903de648bcb8eb32397b11e5f4a01
                                                                                                              • Instruction ID: 4e78f43d20567a7c8fcf820f312847e34406f04d508bd127f70eb53793f25404
                                                                                                              • Opcode Fuzzy Hash: 8ec908df83e45e540904b6c9a18172f1058903de648bcb8eb32397b11e5f4a01
                                                                                                              • Instruction Fuzzy Hash: 0531E330B202019FDF45AB74C56476E7BAAAF86700F248428D806DB395DF75DE46C7B1
                                                                                                              Function 066921D0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: PH^q
                                                                                                              • API String ID: 0-2549759414
                                                                                                              • Opcode ID: 2edbff61ab50229574b831a1f94299e881df75d526052e06d91e5d3358260926
                                                                                                              • Instruction ID: dd6b8f223ee840f389ab2527ec37a038697ef8ebaea329426f13932aa7c584ef
                                                                                                              • Opcode Fuzzy Hash: 2edbff61ab50229574b831a1f94299e881df75d526052e06d91e5d3358260926
                                                                                                              • Instruction Fuzzy Hash: 4931D030B202019FCF45AB74C52466F7BAAAF89700F204428D806DB395DF36DE46C7B5
                                                                                                              Function 066982DE Relevance: 1.3, Strings: 1, Instructions: 30COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $^q
                                                                                                              • API String ID: 0-388095546
                                                                                                              • Opcode ID: c0836775f66461399fa3ff70667b9dc66ba79015f031d06d4d8e6415167509e4
                                                                                                              • Instruction ID: 02d78e6c83cfe1de3f2bf0024928a8e075da35242eaa01e5aa7bc286b9bc6e4c
                                                                                                              • Opcode Fuzzy Hash: c0836775f66461399fa3ff70667b9dc66ba79015f031d06d4d8e6415167509e4
                                                                                                              • Instruction Fuzzy Hash: 7FF0A036E14204DBDF645EE5E9402B873ACEB42290B040C6ECD00C7244C735CE16C6B0
                                                                                                              Function 0669C170 Relevance: .6, Instructions: 637COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 467004d7ace14685abad6c05ce5e2a131dbd4ecdbd1e935d276ec707cefd5a16
                                                                                                              • Instruction ID: ffdad15da10fa2b77f529330fc77a2437c5213925257c0083aa375e58d0d99a8
                                                                                                              • Opcode Fuzzy Hash: 467004d7ace14685abad6c05ce5e2a131dbd4ecdbd1e935d276ec707cefd5a16
                                                                                                              • Instruction Fuzzy Hash: 9132B534B102099FDF54DB68D980BAEB7B6FB88310F108529E805DB394DB35EC46CBA1
                                                                                                              Function 066961E0 Relevance: .2, Instructions: 229COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 239755902d479be49fec2a674b2b915e74fd25ac68445c7aadc7534b8b99ff15
                                                                                                              • Instruction ID: f58f4092c543a9ac267cf395690d6ea9c618ec8165b85a5c957ec81fbfd61814
                                                                                                              • Opcode Fuzzy Hash: 239755902d479be49fec2a674b2b915e74fd25ac68445c7aadc7534b8b99ff15
                                                                                                              • Instruction Fuzzy Hash: EE61BC71F001114FDF549B7AC88466FAADBAFC4620B25443AD80EDB364DEB6ED0287D2
                                                                                                              Function 06694280 Relevance: .2, Instructions: 222COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e3f8a573482dfdbcafa9b122f3e0804875e16f96bde909138465295b03165c45
                                                                                                              • Instruction ID: c748052dd6774b51ed1bd2bbcffb50f2070145fd5a9e96070b2906217134692f
                                                                                                              • Opcode Fuzzy Hash: e3f8a573482dfdbcafa9b122f3e0804875e16f96bde909138465295b03165c45
                                                                                                              • Instruction Fuzzy Hash: B6812A30B102099FDF44DBB9D5546AEB7F6AB89304F148529D80AEB394EF35EC438B91
                                                                                                              Function 066945A0 Relevance: .2, Instructions: 219COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cfa6463b80405d53e70f02b999c60a7a0cefec1ebc4d6a7c1002f89b3746c2e2
                                                                                                              • Instruction ID: e13007e768f28a85e23b488419815d774890caa0db142b741bc7aea71a2fbe6f
                                                                                                              • Opcode Fuzzy Hash: cfa6463b80405d53e70f02b999c60a7a0cefec1ebc4d6a7c1002f89b3746c2e2
                                                                                                              • Instruction Fuzzy Hash: 0A915D30E102198FDF64DF68C890B9DB7B1FF89314F208695D449AB395DB70AA86CF91
                                                                                                              Function 06694290 Relevance: .2, Instructions: 218COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 98af86beb6e8f2f355d4154195afca867b6b5c6427dbd237ec90c5e785e694a0
                                                                                                              • Instruction ID: 8b7446ae47c6dc1f7d27628aa2b19ffaa318eda33060fecad6cf44049e1577f1
                                                                                                              • Opcode Fuzzy Hash: 98af86beb6e8f2f355d4154195afca867b6b5c6427dbd237ec90c5e785e694a0
                                                                                                              • Instruction Fuzzy Hash: 9E812A30B102099FDF54DBB9D5546AEB7E6AB89304F148429D80AEB394EF31EC438B91
                                                                                                              Function 066945B8 Relevance: .2, Instructions: 210COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7ce37d10523f5e251190f8cfcc14b675f06c96d5a4a7ace503a6f501899a6479
                                                                                                              • Instruction ID: 5ef7057e9ce24748d2a16bcab954ff1632f6028d78dbd1299e7f57c727ad5262
                                                                                                              • Opcode Fuzzy Hash: 7ce37d10523f5e251190f8cfcc14b675f06c96d5a4a7ace503a6f501899a6479
                                                                                                              • Instruction Fuzzy Hash: 07915D30E102198BDF64DF68C880B9DB7B1FF89310F208695D44DAB355EB70AA86CF91
                                                                                                              Function 0669EEF0 Relevance: .2, Instructions: 206COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7bc60f46d056568e7eaff031ba79b292f6088d043561d153a7275c700acde3ea
                                                                                                              • Instruction ID: 4a7f12affcac6270fc57831ead9b329374bd7a7a0f25c41f4a7c1f8f4695728d
                                                                                                              • Opcode Fuzzy Hash: 7bc60f46d056568e7eaff031ba79b292f6088d043561d153a7275c700acde3ea
                                                                                                              • Instruction Fuzzy Hash: 02815F70A002099FDF54DFA8D990A9DBBFAFF84300F148429E409EB355DB31E946CB60
                                                                                                              Function 0669EF00 Relevance: .2, Instructions: 201COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c9f7045b9b893a56617c74f426d65b149a2bcef8f47558b0d32fc439c2143c22
                                                                                                              • Instruction ID: ddd52ea3eee9a7706561ba6edcb4b21103d501eddbdf70552210aabebc632d9e
                                                                                                              • Opcode Fuzzy Hash: c9f7045b9b893a56617c74f426d65b149a2bcef8f47558b0d32fc439c2143c22
                                                                                                              • Instruction Fuzzy Hash: 64711E70A002099FDB54EBA8D990A9EBBFAFF84314F158429E409DB355DB31E946CB60
                                                                                                              Function 0669FC68 Relevance: .2, Instructions: 171COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0696503ccdc5f121d3caa85b03ff6d46719778906834fff94fb936d707aed9b3
                                                                                                              • Instruction ID: d74959982286e462a35a197a8f95e3ee2fd380cb245c5b4fdab92a822c38018e
                                                                                                              • Opcode Fuzzy Hash: 0696503ccdc5f121d3caa85b03ff6d46719778906834fff94fb936d707aed9b3
                                                                                                              • Instruction Fuzzy Hash: 4A51E331F00105DFCF14EFB8E4446AEBBB6EB84315F118829E90AD7350DB319955CBA5
                                                                                                              Function 0669FA0A Relevance: .2, Instructions: 168COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 82664b706a750d50ddd5218e88c9793d7b3683c8b2aad12d425993d6425e0cdf
                                                                                                              • Instruction ID: 35449df4cd27c963d33154a1f6b047ab8cf99f15f8ac66f2bd2c27ab70935cdc
                                                                                                              • Opcode Fuzzy Hash: 82664b706a750d50ddd5218e88c9793d7b3683c8b2aad12d425993d6425e0cdf
                                                                                                              • Instruction Fuzzy Hash: F351B934B10305DFEF646A6CD99476F365ED789710F21482AE80AD73D8CA79CC4687B2
                                                                                                              Function 0669FA18 Relevance: .2, Instructions: 163COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 959d5ff16c205ab41c6c65b70a34c6ae65a422d463e302246ffdb4b39ca72dbb
                                                                                                              • Instruction ID: a34f7b1c2ae04f8361807a95c2782f53f7060050a3a75230576d96c5c88d5a87
                                                                                                              • Opcode Fuzzy Hash: 959d5ff16c205ab41c6c65b70a34c6ae65a422d463e302246ffdb4b39ca72dbb
                                                                                                              • Instruction Fuzzy Hash: 6451B834B20314DFEF646A6CD954B3F265ED789710F21482AE90AD73E8CA79CC4643B2
                                                                                                              Function 06695408 Relevance: .1, Instructions: 126COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a0f0fa0de7e0435f99a350c40f62cf7acfdf68916ea66e64ecea6716cc4ec8af
                                                                                                              • Instruction ID: 2f956d62f7776469c7f6810683af6d1861a05624946cbb2a65b07d0272ba4936
                                                                                                              • Opcode Fuzzy Hash: a0f0fa0de7e0435f99a350c40f62cf7acfdf68916ea66e64ecea6716cc4ec8af
                                                                                                              • Instruction Fuzzy Hash: 5C415E71E006098BDFB1CEA9D8C0AAFFBF6FB84310F10492AD51AD7651D730E9558BA0
                                                                                                              Function 0669FC58 Relevance: .1, Instructions: 107COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cf9824bf3af89804caeed88392894617f83cb0fcc113c6a87619a7edaa4af7f5
                                                                                                              • Instruction ID: 260919fef0ff18277609d7a0c67dfc1a5230bfaa33ebedbeb6c34acbd8584a39
                                                                                                              • Opcode Fuzzy Hash: cf9824bf3af89804caeed88392894617f83cb0fcc113c6a87619a7edaa4af7f5
                                                                                                              • Instruction Fuzzy Hash: 78310132E01205DFCF14ABB8E5142AEBBB7EB84311F118879E50AD7350DF31985AC7A5
                                                                                                              Function 0669D950 Relevance: .1, Instructions: 98COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 177fd8fe99c3ecdfac1be0291619b4485760fb0c33531a5ec5ccc38f28271530
                                                                                                              • Instruction ID: 90f9411c555901f01609be0d11cd2ff0b6311d72f5f8094af8af761dfcc0b8b2
                                                                                                              • Opcode Fuzzy Hash: 177fd8fe99c3ecdfac1be0291619b4485760fb0c33531a5ec5ccc38f28271530
                                                                                                              • Instruction Fuzzy Hash: B3319031E1060A8FCF25DF68C89069EBBB5FF85304F144929E815EB354EB71E946CB60
                                                                                                              Function 06692083 Relevance: .1, Instructions: 94COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d48d8344e6b6e3abb70f2fecf57196dd09734260d0e5a50ad35aa28ed7a4aa2c
                                                                                                              • Instruction ID: 41b3f106c8c0c66bdd5551a504020b6f912941d310cb06550ff190514eac763f
                                                                                                              • Opcode Fuzzy Hash: d48d8344e6b6e3abb70f2fecf57196dd09734260d0e5a50ad35aa28ed7a4aa2c
                                                                                                              • Instruction Fuzzy Hash: E0318F34E10205AFCF59CF65D8A46AEBBB6FF8A300F148529E906E7350DB71AD46CB50
                                                                                                              Function 06692090 Relevance: .1, Instructions: 91COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 56b1802865bedc5ee07b4bef7dfd291246fa3e3d6eeef8716288162a3ad51b07
                                                                                                              • Instruction ID: 080d271fe70c2a0ca76cb71fc68a898d22fe3d510dd7d7fa7a48653124b2e6a4
                                                                                                              • Opcode Fuzzy Hash: 56b1802865bedc5ee07b4bef7dfd291246fa3e3d6eeef8716288162a3ad51b07
                                                                                                              • Instruction Fuzzy Hash: FB318134E10209AFCF59CF65D8646AEB7BAFF89300F148529E906E7340DB71AD46CB50
                                                                                                              Function 06693A80 Relevance: .1, Instructions: 81COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 77e1f12c68c9ea5af81275cc225296ef32ec16bb16c8c4fd14888f124a574ba2
                                                                                                              • Instruction ID: 21c68e27e112c6b569f428989954d6e00b601fa738ae66e83f1d0383660f1422
                                                                                                              • Opcode Fuzzy Hash: 77e1f12c68c9ea5af81275cc225296ef32ec16bb16c8c4fd14888f124a574ba2
                                                                                                              • Instruction Fuzzy Hash: 6E21AC75F102059FDF00DF69D880AAEBBF9FB48710F148029E904E7384E734D9028B94
                                                                                                              Function 06693A90 Relevance: .1, Instructions: 78COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2f2c2839525803eaa35554de7cae51596829b7131ee17525d3d6fc28e0a5e7c4
                                                                                                              • Instruction ID: d55b6b9be6b6681d79978231def420e1831fddc534096244a421aa8261c34ade
                                                                                                              • Opcode Fuzzy Hash: 2f2c2839525803eaa35554de7cae51596829b7131ee17525d3d6fc28e0a5e7c4
                                                                                                              • Instruction Fuzzy Hash: 93217A75F106159FDF40DF69D880AAEBBF9FB48710F148029E905E7384E734D9028BA4
                                                                                                              Function 00D9D030 Relevance: .1, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2966022900.0000000000D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_d9d000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3fdbbadcbb01c5f30ff024a8f0259ae8bfe1ea3c82155ec1c8fa45a865fdbbc0
                                                                                                              • Instruction ID: 962e53f7ddc3617adb69298b7d928ac736596fa842a0975796241981b0a3fc8f
                                                                                                              • Opcode Fuzzy Hash: 3fdbbadcbb01c5f30ff024a8f0259ae8bfe1ea3c82155ec1c8fa45a865fdbbc0
                                                                                                              • Instruction Fuzzy Hash: 1D21F271604204DFDF14DF14D9C4B26BBA6FB84314F24C669E84D4B296C33AD846CA72
                                                                                                              Function 00D9D005 Relevance: .1, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2966022900.0000000000D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_d9d000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b985c1eebda45ffe57817a65c659df784228be320b61282435abed0668a635d3
                                                                                                              • Instruction ID: aed745690278a3477a9c7239a7813e66de5691a75e09802f6c817bf08f3d188c
                                                                                                              • Opcode Fuzzy Hash: b985c1eebda45ffe57817a65c659df784228be320b61282435abed0668a635d3
                                                                                                              • Instruction Fuzzy Hash: 05212C7550D3C09FCB07CB24D994711BF71AB46214F29C5EBD8898F2A7C23A985ACB62
                                                                                                              Function 066953F8 Relevance: .1, Instructions: 70COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e1c75ad6947be4ef69fad3a2bc79b282182ad7b886feb2f0897806d147ca95b6
                                                                                                              • Instruction ID: e1c71b091f6c1fb6c814d4c84f0ef982c4ec913c7c503a5a9785bb61841ac539
                                                                                                              • Opcode Fuzzy Hash: e1c75ad6947be4ef69fad3a2bc79b282182ad7b886feb2f0897806d147ca95b6
                                                                                                              • Instruction Fuzzy Hash: 6721BE71A007058FCF61CFA9CDC1AAFFBB6FF84300F148929D51697655D730A8568BA0
                                                                                                              Function 06693BA0 Relevance: .1, Instructions: 59COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0967fc8de17cb8d91f3a9c51a39500ed238009fa3037d2e7964e608663cb9f75
                                                                                                              • Instruction ID: a19bc4e13f459098fef0030e55f8a4f44e1c71ec9c1b99b083da6b784ea3aead
                                                                                                              • Opcode Fuzzy Hash: 0967fc8de17cb8d91f3a9c51a39500ed238009fa3037d2e7964e608663cb9f75
                                                                                                              • Instruction Fuzzy Hash: 47118E32B145299FDF549668C814AAF73AAEBC8310F04447AD80AE7344EE24DC438BE5
                                                                                                              Function 0669F171 Relevance: .1, Instructions: 56COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 68d634e116f8874801e2722d900ac59b293954917990e97753c70e459458ca64
                                                                                                              • Instruction ID: 321b629ccd233ddf3630bee97e6c71a9aad1de566898e6347a81ad5f027fb5d6
                                                                                                              • Opcode Fuzzy Hash: 68d634e116f8874801e2722d900ac59b293954917990e97753c70e459458ca64
                                                                                                              • Instruction Fuzzy Hash: 6601B135B001115FCBA5A66DD850B2EB7EAEB8A710F158569EA0ACB381DA34DC4343E6
                                                                                                              Function 06693859 Relevance: .1, Instructions: 54COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6064d9191392fba6a173d5fac65ee42147ce37b96d7e24772a812d7f3506153e
                                                                                                              • Instruction ID: 1e81f8b1fe500ccfe40bab7d4657bd6abfb70fd4f2b28090c89c87c1edbc0995
                                                                                                              • Opcode Fuzzy Hash: 6064d9191392fba6a173d5fac65ee42147ce37b96d7e24772a812d7f3506153e
                                                                                                              • Instruction Fuzzy Hash: 2921C3B5D01219EFCB00DF99D985ADEFBB4FB08310F10852AE918B7200D374A554CFA5
                                                                                                              Function 066941E2 Relevance: .1, Instructions: 54COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0ec385228959f1a7d746927122756ff9c75ca1cb16a7ace0b4dfc0dd10274338
                                                                                                              • Instruction ID: 8786ef4ec6b7031f228d7600483dababc757ae69c90e272d29919693f9d5980f
                                                                                                              • Opcode Fuzzy Hash: 0ec385228959f1a7d746927122756ff9c75ca1cb16a7ace0b4dfc0dd10274338
                                                                                                              • Instruction Fuzzy Hash: 3F015E35B101101FDF6496ADE49572AB7DAEBCA720F14843AE50AC7390DE65EC8343A5
                                                                                                              Function 06693860 Relevance: .1, Instructions: 52COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 144efbf02e461965c8c6bff6da2ce72388d6f24375c7295cbb6f46e4843eddc3
                                                                                                              • Instruction ID: 77bad560dd6c59d8170eeea6fc6c018c23102b0b7a04f201ba04941dfc745456
                                                                                                              • Opcode Fuzzy Hash: 144efbf02e461965c8c6bff6da2ce72388d6f24375c7295cbb6f46e4843eddc3
                                                                                                              • Instruction Fuzzy Hash: E311C2B5D01219AFCB00DF9AD984ADEFBB8FB48310F10812AE918B7300C375A944CFA5
                                                                                                              Function 0669A2F0 Relevance: .1, Instructions: 51COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d188a1e7c55f1eaf86fbdec6016bf5d33143b99527d3a2ea2f862ef6a00fe18b
                                                                                                              • Instruction ID: d802dbd54daf1b1caf500d623bf62083c8cb5fbe3257d0abd7ee6ac44d16ff02
                                                                                                              • Opcode Fuzzy Hash: d188a1e7c55f1eaf86fbdec6016bf5d33143b99527d3a2ea2f862ef6a00fe18b
                                                                                                              • Instruction Fuzzy Hash: 27016775B100145FDB94DABCE494B2E73D9E78A714F108829EA0EC73D4DA25DC0287A5
                                                                                                              Function 066941F0 Relevance: .1, Instructions: 51COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 298a2e802bd3afee98baa3c3e4ed8f76a0023c0e37b840498f250a1877a9fc9b
                                                                                                              • Instruction ID: 8eb7905167c07c9ffecfd23eabf75050d20c571cac100234e61fa317cb299f97
                                                                                                              • Opcode Fuzzy Hash: 298a2e802bd3afee98baa3c3e4ed8f76a0023c0e37b840498f250a1877a9fc9b
                                                                                                              • Instruction Fuzzy Hash: 0A01D130B101101BDFA495ADE45472BB3CEEBC9720F14843AE50EC7390DD65DC4303A5
                                                                                                              Function 06693B8F Relevance: .0, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2f3c66075638b88cfa4c13c01f671a76c641bbd127688c2ae9a5420c0c43970c
                                                                                                              • Instruction ID: 3958c613b55265bef6b5dcc62d1ae32c2f0fab8a7fcc46a93513ed1087d5c2c3
                                                                                                              • Opcode Fuzzy Hash: 2f3c66075638b88cfa4c13c01f671a76c641bbd127688c2ae9a5420c0c43970c
                                                                                                              • Instruction Fuzzy Hash: 5F01B132B144254BDF849668D8556AB73AE9B88210F04407AD80AE7384EE60984387A1
                                                                                                              Function 0669F180 Relevance: .0, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e030ed44d051023ca7805e3e387866a3d599267d3b31d87ffbc211a00ac604e2
                                                                                                              • Instruction ID: f7956e64cba39f8456f539bd7fc13c431239f963f182f70842bb4bef35fab68b
                                                                                                              • Opcode Fuzzy Hash: e030ed44d051023ca7805e3e387866a3d599267d3b31d87ffbc211a00ac604e2
                                                                                                              • Instruction Fuzzy Hash: CE018C75B000101BDFA9966DE890B2F63DAEBCA610F208839EA0EC7380DE25DC0343E5
                                                                                                              Function 0669A300 Relevance: .0, Instructions: 46COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ee5b9a86e60d08f8cfd2cd7710d96d88661f4ba1a13cd5fb74845d7e1376d438
                                                                                                              • Instruction ID: 78cdf59602ae40d88428225928bfdbe367dfbf08ced7ff9eea153f0f576db1eb
                                                                                                              • Opcode Fuzzy Hash: ee5b9a86e60d08f8cfd2cd7710d96d88661f4ba1a13cd5fb74845d7e1376d438
                                                                                                              • Instruction Fuzzy Hash: 81014434B100145FDBA4EABDE454B2EB3D9E78A714F108839EA0FC7384EA21DC0287D5
                                                                                                              Function 06696461 Relevance: .0, Instructions: 27COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a5ca53e5d2ff69acd944e70328ad99bb15fcfa8547c6b8da0198539c081d4a00
                                                                                                              • Instruction ID: 24fec3e8d2c653d0753ae1d33921e4ef1fda762b7ab1dae2ea2461ff2912ad79
                                                                                                              • Opcode Fuzzy Hash: a5ca53e5d2ff69acd944e70328ad99bb15fcfa8547c6b8da0198539c081d4a00
                                                                                                              • Instruction Fuzzy Hash: 66E04871E547489BEF90CFF4C95576A77AEE701608F2488A5D805CB341E637DD018BA1
                                                                                                              Function 06696470 Relevance: .0, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: aa976699a50b98a0a6b50c08d3026a88d70fc42e5459dfcadbf44bb0d2ea6d04
                                                                                                              • Instruction ID: 9f4cb87fa4c068fb2e3af31b37d4b6b65b11820edc6fffd6068c2dc651c364b8
                                                                                                              • Opcode Fuzzy Hash: aa976699a50b98a0a6b50c08d3026a88d70fc42e5459dfcadbf44bb0d2ea6d04
                                                                                                              • Instruction Fuzzy Hash: 7FE01271E14208ABEF50DEF4CA5575A77ADD701618F20C8A5DC09DB301E576DE014BA0

                                                                                                              Non-executed Functions

                                                                                                              Function 06697688 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                              • API String ID: 0-2222239885
                                                                                                              • Opcode ID: 0840fc0885683f2bf686c3b5eaa0e278dac17eea48fa660521a084295e321a40
                                                                                                              • Instruction ID: dd589000d408e697deeb0d381a820e9f30b5b64774454e28bc87682659aeb155
                                                                                                              • Opcode Fuzzy Hash: 0840fc0885683f2bf686c3b5eaa0e278dac17eea48fa660521a084295e321a40
                                                                                                              • Instruction Fuzzy Hash: 28121D30E10219CFDF68DF65D954A9EBBB6FF88304F208569D409AB354DB309D86CB91
                                                                                                              Function 0669A920 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                              • API String ID: 0-3823777903
                                                                                                              • Opcode ID: 08eb42e7270e352d43d26e8d5b02dff8421e31541c8e6e91a606c9dce557f235
                                                                                                              • Instruction ID: d2f2a73a07b362547d939ffebbdf0a9700959578b30f59bdd1174912b175a97a
                                                                                                              • Opcode Fuzzy Hash: 08eb42e7270e352d43d26e8d5b02dff8421e31541c8e6e91a606c9dce557f235
                                                                                                              • Instruction Fuzzy Hash: E9914E30E10209DFDF68DFA5D654B6E77FAEF84304F108529E8059B398DB749946CBA0
                                                                                                              Function 06697088 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                              • API String ID: 0-390881366
                                                                                                              • Opcode ID: a43db867bbf49240c78a5dbd89f2f4243971fa6875be803590b54d2b9e3de2f6
                                                                                                              • Instruction ID: 1059f10c667740ee7d7cec2abb828f76c36eca154e56ce585c81ab78f7e36607
                                                                                                              • Opcode Fuzzy Hash: a43db867bbf49240c78a5dbd89f2f4243971fa6875be803590b54d2b9e3de2f6
                                                                                                              • Instruction Fuzzy Hash: 94F14C30B10209CFDB59EF69D594A6EBBB6FF84300F248569D8459B398DB31EC42CB94
                                                                                                              Function 066983C0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $^q$$^q$$^q$$^q
                                                                                                              • API String ID: 0-2125118731
                                                                                                              • Opcode ID: 4b0b2ee7f6ceab74f36bacd5cdb4a942b51f3ebc8168758bd7826eff6a6d86f0
                                                                                                              • Instruction ID: fbfc020ba6d969e7665cd47a8d4bbf5fb538b0ddd7fbd21d23705a801a9860f2
                                                                                                              • Opcode Fuzzy Hash: 4b0b2ee7f6ceab74f36bacd5cdb4a942b51f3ebc8168758bd7826eff6a6d86f0
                                                                                                              • Instruction Fuzzy Hash: 6EB13930B102098FDB54EF68D5946AEB7B6FF85300F248929D406DB399DB75DC86CBA0
                                                                                                              Function 066987D8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: LR^q$LR^q$$^q$$^q
                                                                                                              • API String ID: 0-2454687669
                                                                                                              • Opcode ID: 274a9a47fa4d12bd9ab4534d4a27d8590741a5dd64a7b179f83faa16946ab80a
                                                                                                              • Instruction ID: 645807f30df8b72df109d600162dfd5cbb7f3cb1fb10e9ba859c8f200dae816b
                                                                                                              • Opcode Fuzzy Hash: 274a9a47fa4d12bd9ab4534d4a27d8590741a5dd64a7b179f83faa16946ab80a
                                                                                                              • Instruction Fuzzy Hash: 5351B130B102059FDF58EB28D540A6AB7A9FF85704F14896DE805DB399DB31EC46CBA1
                                                                                                              Function 0669ACA8 Relevance: 5.2, Strings: 4, Instructions: 160COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2980222691.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6690000_xJZHVgxQul.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $^q$$^q$$^q$$^q
                                                                                                              • API String ID: 0-2125118731
                                                                                                              • Opcode ID: e4e8a6b1db76108477d6259f6fa005bc064dafe6f504191930de502fe42ea4c8
                                                                                                              • Instruction ID: 1f545b4496d48e3c7bc02056f8674e5887b4459e3c49677f442fb9c6f50caa78
                                                                                                              • Opcode Fuzzy Hash: e4e8a6b1db76108477d6259f6fa005bc064dafe6f504191930de502fe42ea4c8
                                                                                                              • Instruction Fuzzy Hash: 0D518134E102099FDF65DBA8D5806AEB7FAEB85310F24852ADC05DB358DB31DC46CB64

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:11.1%
                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                              Signature Coverage:0%
                                                                                                              Total number of Nodes:446
                                                                                                              Total number of Limit Nodes:41
                                                                                                              execution_graph 53697 72aca28 53699 72aca5f 53697->53699 53698 72acbb8 53699->53698 53701 72a73e0 53699->53701 53702 72a73f0 53701->53702 53705 72a4f4c 53702->53705 53706 72a4f57 53705->53706 53707 72a7142 53706->53707 53709 72a1dac 53706->53709 53707->53698 53710 72a1db7 53709->53710 53711 72ac127 53710->53711 53714 72ac142 53710->53714 53719 72ac140 53710->53719 53711->53707 53715 72ac149 53714->53715 53724 778c7e8 53715->53724 53729 778c7d8 53715->53729 53716 72ac16d 53716->53711 53720 72ac149 53719->53720 53722 778c7e8 DrawTextExW 53720->53722 53723 778c7d8 DrawTextExW 53720->53723 53721 72ac16d 53721->53711 53722->53721 53723->53721 53725 778c823 53724->53725 53726 778c812 53724->53726 53725->53726 53734 72ac188 53725->53734 53739 72ac17b 53725->53739 53726->53716 53730 778c823 53729->53730 53731 778c812 53729->53731 53730->53731 53732 72ac17b DrawTextExW 53730->53732 53733 72ac188 DrawTextExW 53730->53733 53731->53716 53732->53731 53733->53731 53735 72ac1b0 53734->53735 53736 72ac2b2 53735->53736 53745 72acfa0 53735->53745 53749 72acf90 53735->53749 53736->53726 53740 72ac128 53739->53740 53741 72ac17e 53739->53741 53740->53726 53742 72ac2b2 53741->53742 53743 72acfa0 DrawTextExW 53741->53743 53744 72acf90 DrawTextExW 53741->53744 53742->53726 53743->53742 53744->53742 53746 72acfb6 53745->53746 53753 72ad330 53746->53753 53750 72acfb6 53749->53750 53752 72ad330 DrawTextExW 53750->53752 53751 72ad02c 53751->53736 53752->53751 53757 72ad360 53753->53757 53761 72ad370 53753->53761 53754 72ad02c 53754->53736 53758 72ad370 53757->53758 53759 72ad3cd 53758->53759 53765 72a8b00 53758->53765 53759->53754 53763 72ad3a1 53761->53763 53762 72ad3cd 53762->53754 53763->53762 53764 72a8b00 DrawTextExW 53763->53764 53764->53762 53767 72a8b21 53765->53767 53766 72a8b36 53766->53759 53767->53766 53769 778b0e8 DrawTextExW 53767->53769 53770 778a314 DrawTextExW 53767->53770 53768 72a8b90 53769->53768 53770->53768 53905 72af408 53907 72af41d 53905->53907 53909 72af4d7 53907->53909 53910 72a6468 53907->53910 53908 72af4ac 53912 72a6483 53910->53912 53911 72a648c 53911->53908 53912->53911 53918 72a65c8 53912->53918 53923 72a4eac 53912->53923 53915 72a4eac GetCurrentThreadId 53917 72a64ba 53915->53917 53916 72a64e6 53916->53908 53917->53916 53917->53918 53927 72a6818 53917->53927 53931 72a6950 53917->53931 53919 72a674b 53918->53919 53920 72a67cf GetCurrentThreadId 53918->53920 53919->53908 53920->53919 53924 72a4eb7 53923->53924 53925 72a64b0 53924->53925 53926 72a67cf GetCurrentThreadId 53924->53926 53925->53915 53926->53925 53929 72a681d 53927->53929 53928 72a687f 53928->53918 53929->53928 53935 72a6f68 53929->53935 53932 72a6971 53931->53932 53933 72a69f3 53932->53933 53934 72a6f68 DrawTextExW 53932->53934 53933->53918 53934->53933 53936 72a6f76 53935->53936 53937 72a4f4c DrawTextExW 53936->53937 53938 72a6f8c 53936->53938 53937->53938 53938->53928 54201 72a6443 54203 72a6468 3 API calls 54201->54203 54205 72a6458 54201->54205 54202 72a6456 54203->54202 54207 72a645b 54205->54207 54206 72a648b 54206->54202 54207->54206 54208 72a4eac GetCurrentThreadId 54207->54208 54212 72a65c8 54207->54212 54209 72a64b0 54208->54209 54210 72a4eac GetCurrentThreadId 54209->54210 54214 72a64ba 54210->54214 54211 72a64e6 54211->54202 54213 72a674b 54212->54213 54215 72a67cf GetCurrentThreadId 54212->54215 54213->54202 54214->54211 54214->54212 54216 72a6818 DrawTextExW 54214->54216 54217 72a6950 DrawTextExW 54214->54217 54215->54213 54216->54212 54217->54212 54143 72abc60 54144 72abc73 54143->54144 54145 72abc95 54144->54145 54146 72a4f4c DrawTextExW 54144->54146 54146->54145 53771 73b86b0 53772 73b883b 53771->53772 53774 73b86d6 53771->53774 53774->53772 53775 73b6820 53774->53775 53776 73b8930 PostMessageW 53775->53776 53777 73b899c 53776->53777 53777->53774 53778 174d4f8 53779 174d53e GetCurrentProcess 53778->53779 53781 174d590 GetCurrentThread 53779->53781 53782 174d589 53779->53782 53783 174d5c6 53781->53783 53784 174d5cd GetCurrentProcess 53781->53784 53782->53781 53783->53784 53787 174d603 53784->53787 53785 174d62b GetCurrentThreadId 53786 174d65c 53785->53786 53787->53785 53788 77859e8 53790 77859e9 53788->53790 53789 7785a18 53790->53789 53797 72ace08 53790->53797 53801 72acde1 53790->53801 53807 72acda1 53790->53807 53812 72acdc0 53790->53812 53816 72acd68 53790->53816 53791 7785a4c 53798 72ace30 53797->53798 53799 72a4f4c DrawTextExW 53798->53799 53800 72ace98 53799->53800 53802 72acdfa 53801->53802 53804 72acdab 53801->53804 53803 72acdb0 53803->53791 53804->53791 53804->53803 53805 72a4f4c DrawTextExW 53804->53805 53806 72ace98 53805->53806 53809 72acdab 53807->53809 53808 72acdb0 53808->53791 53809->53791 53809->53808 53810 72a4f4c DrawTextExW 53809->53810 53811 72ace98 53810->53811 53813 72acdcf 53812->53813 53813->53791 53814 72a4f4c DrawTextExW 53813->53814 53815 72ace98 53814->53815 53818 72acd76 53816->53818 53819 72acd94 53816->53819 53817 72acdb0 53817->53791 53818->53791 53819->53791 53819->53817 53820 72a4f4c DrawTextExW 53819->53820 53821 72ace98 53820->53821 54147 7787d28 54148 7787d29 54147->54148 54152 7787d57 54148->54152 54153 7786db8 54148->54153 54154 7786dc3 54153->54154 54155 77881a6 54154->54155 54164 7789530 54154->54164 54169 7789520 54154->54169 54156 7787d50 54155->54156 54157 7786dc8 DrawTextExW 54155->54157 54160 7786dc8 54156->54160 54157->54156 54161 7786dd3 54160->54161 54195 778bea0 54161->54195 54163 778c71d 54163->54152 54166 7789551 54164->54166 54165 7789566 54165->54154 54166->54165 54174 77891dc 54166->54174 54173 7789526 54169->54173 54170 7789566 54170->54154 54171 77891dc DrawTextExW 54172 77895b6 54171->54172 54173->54170 54173->54171 54175 77891e7 54174->54175 54178 778a314 54175->54178 54177 77895b6 54180 778a31f 54178->54180 54179 778b131 54179->54177 54180->54179 54184 778bc50 54180->54184 54187 778bc41 54180->54187 54181 778b235 54181->54177 54191 778a4ec 54184->54191 54188 778bc4c 54187->54188 54188->54188 54189 778a4ec DrawTextExW 54188->54189 54190 778bc6d 54189->54190 54190->54181 54192 778bc88 DrawTextExW 54191->54192 54194 778bc6d 54192->54194 54194->54181 54196 778beab 54195->54196 54197 778c7ab 54196->54197 54199 778c7e8 DrawTextExW 54196->54199 54200 778c7d8 DrawTextExW 54196->54200 54197->54163 54198 778c7a7 54198->54163 54199->54198 54200->54198 54218 72a785b 54219 72a7868 54218->54219 54223 72a78a0 54219->54223 54228 72a7890 54219->54228 54220 72a7882 54224 72a78a5 54223->54224 54225 72a78ef 54224->54225 54233 72c4830 54224->54233 54238 72c4801 54224->54238 54225->54220 54230 72a78a0 54228->54230 54229 72a78ef 54229->54220 54230->54229 54231 72c4830 DrawTextExW 54230->54231 54232 72c4801 DrawTextExW 54230->54232 54231->54229 54232->54229 54235 72c4835 54233->54235 54234 72c4cf9 54234->54225 54235->54234 54243 72c4d30 54235->54243 54248 72c4d40 54235->54248 54239 72c4830 54238->54239 54240 72c4cf9 54239->54240 54241 72c4d30 DrawTextExW 54239->54241 54242 72c4d40 DrawTextExW 54239->54242 54240->54225 54241->54239 54242->54239 54244 72c4d31 54243->54244 54244->54244 54252 72c4db0 54244->54252 54257 72c4dc0 54244->54257 54245 72c4d7c 54245->54235 54249 72c4d7c 54248->54249 54250 72c4db0 DrawTextExW 54248->54250 54251 72c4dc0 DrawTextExW 54248->54251 54249->54235 54250->54249 54251->54249 54253 72c4de3 54252->54253 54254 72c4e01 54253->54254 54255 778c7e8 DrawTextExW 54253->54255 54256 778c7d8 DrawTextExW 54253->54256 54254->54245 54255->54254 54256->54254 54258 72c4de3 54257->54258 54259 72c4e01 54258->54259 54260 778c7e8 DrawTextExW 54258->54260 54261 778c7d8 DrawTextExW 54258->54261 54259->54245 54260->54259 54261->54259 53939 174d740 DuplicateHandle 53940 174d7d6 53939->53940 53941 7782d40 53944 77829d4 53941->53944 53943 7782d5f 53945 77829df 53944->53945 53947 1745cfc GetModuleHandleW 53945->53947 53949 17483c8 53945->53949 53946 7782de4 53946->53943 53947->53946 53950 1748403 53949->53950 53952 174868b 53950->53952 53953 174ad38 GetModuleHandleW 53950->53953 53951 17486c9 53951->53946 53952->53951 53954 174ce20 GetModuleHandleW 53952->53954 53953->53952 53954->53951 53822 1744668 53823 174467a 53822->53823 53824 1744686 53823->53824 53828 1744778 53823->53828 53833 1744218 53824->53833 53826 17446a5 53829 174479d 53828->53829 53837 1744878 53829->53837 53841 1744888 53829->53841 53834 1744223 53833->53834 53849 1745c7c 53834->53849 53836 1746ffb 53836->53826 53838 1744882 53837->53838 53840 174498c 53838->53840 53845 17444e0 53838->53845 53842 17448af 53841->53842 53843 174498c 53842->53843 53844 17444e0 CreateActCtxA 53842->53844 53844->53843 53846 1745918 CreateActCtxA 53845->53846 53848 17459db 53846->53848 53850 1745c87 53849->53850 53853 1745c9c 53850->53853 53852 17471b5 53852->53836 53854 1745ca7 53853->53854 53857 1745ccc 53854->53857 53856 174729a 53856->53852 53858 1745cd7 53857->53858 53861 1745cfc 53858->53861 53860 174738d 53860->53856 53862 1745d07 53861->53862 53864 174868b 53862->53864 53867 174ad38 53862->53867 53863 17486c9 53863->53860 53864->53863 53871 174ce20 53864->53871 53876 174ad70 53867->53876 53879 174ad60 53867->53879 53868 174ad4e 53868->53864 53872 174ce51 53871->53872 53873 174ce75 53872->53873 53889 174cfe0 53872->53889 53893 174cfd0 53872->53893 53873->53863 53883 174ae59 53876->53883 53877 174ad7f 53877->53868 53880 174ad70 53879->53880 53882 174ae59 GetModuleHandleW 53880->53882 53881 174ad7f 53881->53868 53882->53881 53884 174ae01 53883->53884 53887 174ae62 53883->53887 53884->53877 53885 174ae9c 53885->53877 53886 174b0a0 GetModuleHandleW 53888 174b0cd 53886->53888 53887->53885 53887->53886 53888->53877 53890 174cfed 53889->53890 53891 174d027 53890->53891 53897 174b840 53890->53897 53891->53873 53894 174cfe0 53893->53894 53895 174d027 53894->53895 53896 174b840 GetModuleHandleW 53894->53896 53895->53873 53896->53895 53898 174b84b 53897->53898 53900 174dd38 53898->53900 53901 174d144 53898->53901 53900->53900 53902 174d14f 53901->53902 53903 1745cfc GetModuleHandleW 53902->53903 53904 174dda7 53903->53904 53904->53900 53955 73b5986 53956 73b58d4 53955->53956 53957 73b59ce 53956->53957 53961 73b7530 53956->53961 53978 73b7596 53956->53978 53996 73b7520 53956->53996 53962 73b754a 53961->53962 54013 73b7979 53962->54013 54021 73b7b85 53962->54021 54029 73b7ac0 53962->54029 54034 73b7dcc 53962->54034 54039 73b7ec8 53962->54039 54044 73b7a69 53962->54044 54049 73b8209 53962->54049 54054 73b7e69 53962->54054 54059 73b7ab4 53962->54059 54064 73b8395 53962->54064 54069 73b7ad2 53962->54069 54074 73b7932 53962->54074 54082 73b7c1d 53962->54082 54090 73b7bbe 53962->54090 53963 73b7552 53963->53956 53979 73b7599 53978->53979 53980 73b7524 53978->53980 53979->53956 53982 73b7979 4 API calls 53980->53982 53983 73b7bbe 2 API calls 53980->53983 53984 73b7c1d 4 API calls 53980->53984 53985 73b7932 4 API calls 53980->53985 53986 73b7ad2 2 API calls 53980->53986 53987 73b8395 2 API calls 53980->53987 53988 73b7ab4 2 API calls 53980->53988 53989 73b7e69 2 API calls 53980->53989 53990 73b8209 2 API calls 53980->53990 53991 73b7a69 2 API calls 53980->53991 53992 73b7ec8 2 API calls 53980->53992 53993 73b7dcc 2 API calls 53980->53993 53994 73b7ac0 2 API calls 53980->53994 53995 73b7b85 4 API calls 53980->53995 53981 73b7552 53981->53956 53982->53981 53983->53981 53984->53981 53985->53981 53986->53981 53987->53981 53988->53981 53989->53981 53990->53981 53991->53981 53992->53981 53993->53981 53994->53981 53995->53981 53997 73b7524 53996->53997 53999 73b7979 4 API calls 53997->53999 54000 73b7bbe 2 API calls 53997->54000 54001 73b7c1d 4 API calls 53997->54001 54002 73b7932 4 API calls 53997->54002 54003 73b7ad2 2 API calls 53997->54003 54004 73b8395 2 API calls 53997->54004 54005 73b7ab4 2 API calls 53997->54005 54006 73b7e69 2 API calls 53997->54006 54007 73b8209 2 API calls 53997->54007 54008 73b7a69 2 API calls 53997->54008 54009 73b7ec8 2 API calls 53997->54009 54010 73b7dcc 2 API calls 53997->54010 54011 73b7ac0 2 API calls 53997->54011 54012 73b7b85 4 API calls 53997->54012 53998 73b7552 53998->53956 53999->53998 54000->53998 54001->53998 54002->53998 54003->53998 54004->53998 54005->53998 54006->53998 54007->53998 54008->53998 54009->53998 54010->53998 54011->53998 54012->53998 54014 73b793e 54013->54014 54095 73b54b8 54014->54095 54099 73b54ac 54014->54099 54103 73b5168 54021->54103 54107 73b5170 54021->54107 54022 73b7ba3 54024 73b809d 54022->54024 54111 73b5228 54022->54111 54115 73b5230 54022->54115 54023 73b7f00 54024->53963 54030 73b8271 54029->54030 54119 73b4828 54030->54119 54123 73b4820 54030->54123 54031 73b8265 54031->53963 54035 73b7a75 54034->54035 54035->54034 54036 73b7a87 54035->54036 54037 73b5228 WriteProcessMemory 54035->54037 54038 73b5230 WriteProcessMemory 54035->54038 54036->53963 54037->54035 54038->54035 54040 73b7ece 54039->54040 54042 73b5228 WriteProcessMemory 54040->54042 54043 73b5230 WriteProcessMemory 54040->54043 54041 73b7f00 54042->54041 54043->54041 54045 73b7a75 54044->54045 54046 73b7a87 54045->54046 54047 73b5228 WriteProcessMemory 54045->54047 54048 73b5230 WriteProcessMemory 54045->54048 54046->53963 54047->54045 54048->54045 54050 73b8211 54049->54050 54127 73b5318 54050->54127 54131 73b5320 54050->54131 54051 73b8233 54055 73b7e72 54054->54055 54057 73b5228 WriteProcessMemory 54055->54057 54058 73b5230 WriteProcessMemory 54055->54058 54056 73b803f 54057->54056 54058->54056 54060 73b8211 54059->54060 54062 73b5318 ReadProcessMemory 54060->54062 54063 73b5320 ReadProcessMemory 54060->54063 54061 73b8233 54062->54061 54063->54061 54065 73b839b 54064->54065 54135 73b433f 54065->54135 54139 73b4340 54065->54139 54066 73b83c1 54070 73b7a75 54069->54070 54071 73b7a87 54070->54071 54072 73b5228 WriteProcessMemory 54070->54072 54073 73b5230 WriteProcessMemory 54070->54073 54071->53963 54072->54070 54073->54070 54075 73b793e 54074->54075 54078 73b54b8 CreateProcessA 54075->54078 54079 73b54ac CreateProcessA 54075->54079 54076 73b7a87 54076->53963 54077 73b7a4a 54077->54076 54080 73b5228 WriteProcessMemory 54077->54080 54081 73b5230 WriteProcessMemory 54077->54081 54078->54077 54079->54077 54080->54077 54081->54077 54086 73b4828 Wow64SetThreadContext 54082->54086 54087 73b4820 Wow64SetThreadContext 54082->54087 54083 73b817d 54083->53963 54084 73b7bdc 54084->54083 54088 73b433f ResumeThread 54084->54088 54089 73b4340 ResumeThread 54084->54089 54085 73b83c1 54086->54084 54087->54084 54088->54085 54089->54085 54091 73b7bc4 54090->54091 54093 73b433f ResumeThread 54091->54093 54094 73b4340 ResumeThread 54091->54094 54092 73b83c1 54093->54092 54094->54092 54096 73b5541 54095->54096 54096->54096 54097 73b56a6 CreateProcessA 54096->54097 54098 73b5703 54097->54098 54100 73b54b8 CreateProcessA 54099->54100 54102 73b5703 54100->54102 54104 73b5170 VirtualAllocEx 54103->54104 54106 73b51ed 54104->54106 54106->54022 54108 73b51b0 VirtualAllocEx 54107->54108 54110 73b51ed 54108->54110 54110->54022 54112 73b5230 WriteProcessMemory 54111->54112 54114 73b52cf 54112->54114 54114->54023 54116 73b5278 WriteProcessMemory 54115->54116 54118 73b52cf 54116->54118 54118->54023 54120 73b486d Wow64SetThreadContext 54119->54120 54122 73b48b5 54120->54122 54122->54031 54124 73b4828 Wow64SetThreadContext 54123->54124 54126 73b48b5 54124->54126 54126->54031 54128 73b5320 ReadProcessMemory 54127->54128 54130 73b53af 54128->54130 54130->54051 54132 73b536b ReadProcessMemory 54131->54132 54134 73b53af 54132->54134 54134->54051 54136 73b4340 ResumeThread 54135->54136 54138 73b43b1 54136->54138 54138->54066 54140 73b4380 ResumeThread 54139->54140 54142 73b43b1 54140->54142 54142->54066

                                                                                                              Executed Functions

                                                                                                              Function 0174D4E8 Relevance: 6.1, APIs: 4, Instructions: 134threadCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 570 174d4e8-174d587 GetCurrentProcess 575 174d590-174d5c4 GetCurrentThread 570->575 576 174d589-174d58f 570->576 577 174d5c6-174d5cc 575->577 578 174d5cd-174d601 GetCurrentProcess 575->578 576->575 577->578 580 174d603-174d609 578->580 581 174d60a-174d625 call 174d6c8 578->581 580->581 583 174d62b-174d65a GetCurrentThreadId 581->583 585 174d663-174d6c5 583->585 586 174d65c-174d662 583->586 586->585
                                                                                                              APIs
                                                                                                              • GetCurrentProcess.KERNEL32 ref: 0174D576
                                                                                                              • GetCurrentThread.KERNEL32 ref: 0174D5B3
                                                                                                              • GetCurrentProcess.KERNEL32 ref: 0174D5F0
                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0174D649
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1792133113.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_1740000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Current$ProcessThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 2063062207-0
                                                                                                              • Opcode ID: 171b2a3f21faa31e8cc3a76d2dbafd148b0256f45cefd16b48a25449ddc7544b
                                                                                                              • Instruction ID: 1497cad2005fe2f9d736757647b6bcc2de89fc8c150e4ea10e3cce3b161d5fa1
                                                                                                              • Opcode Fuzzy Hash: 171b2a3f21faa31e8cc3a76d2dbafd148b0256f45cefd16b48a25449ddc7544b
                                                                                                              • Instruction Fuzzy Hash: 895128B09002098FDB18DFA9D548BEEFBF1FB48314F208469E459A7360DB35A984CF65
                                                                                                              Function 0174D4F8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 593 174d4f8-174d587 GetCurrentProcess 597 174d590-174d5c4 GetCurrentThread 593->597 598 174d589-174d58f 593->598 599 174d5c6-174d5cc 597->599 600 174d5cd-174d601 GetCurrentProcess 597->600 598->597 599->600 602 174d603-174d609 600->602 603 174d60a-174d625 call 174d6c8 600->603 602->603 605 174d62b-174d65a GetCurrentThreadId 603->605 607 174d663-174d6c5 605->607 608 174d65c-174d662 605->608 608->607
                                                                                                              APIs
                                                                                                              • GetCurrentProcess.KERNEL32 ref: 0174D576
                                                                                                              • GetCurrentThread.KERNEL32 ref: 0174D5B3
                                                                                                              • GetCurrentProcess.KERNEL32 ref: 0174D5F0
                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0174D649
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1792133113.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_1740000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Current$ProcessThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 2063062207-0
                                                                                                              • Opcode ID: eacde3f89708b04b075a26e79161281ce0d951fdeb1ef6036bee06368d93ff38
                                                                                                              • Instruction ID: 0d0925c1ad3ffce420198373b3bee5b1cb3a7ec63ea375bcd8c552f04816f841
                                                                                                              • Opcode Fuzzy Hash: eacde3f89708b04b075a26e79161281ce0d951fdeb1ef6036bee06368d93ff38
                                                                                                              • Instruction Fuzzy Hash: 1D5125B09002098FDB18DFA9D548BDEFBF1BB48314F208469E459AB360DB75A984CF65
                                                                                                              Function 072A6468 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 253COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 615 72a6468-72a648a 617 72a648c-72a6492 615->617 618 72a6493-72a649d 615->618 620 72a66d9-72a6705 618->620 621 72a64a3-72a64bc call 72a4eac * 2 618->621 628 72a670c-72a6741 620->628 621->628 629 72a64c2-72a64e4 621->629 648 72a676b-72a6772 628->648 649 72a6743-72a6749 628->649 636 72a64e6-72a64f4 call 72a4ebc 629->636 637 72a64f5-72a6504 629->637 643 72a6529-72a654a 637->643 644 72a6506-72a6523 637->644 654 72a659a-72a65c2 643->654 655 72a654c-72a655d 643->655 644->643 651 72a6773-72a67b8 648->651 650 72a674b-72a675d 649->650 649->651 658 72a67ba-72a67cd 651->658 659 72a67cf-72a67f5 GetCurrentThreadId 651->659 687 72a65c5 call 72a6818 654->687 688 72a65c5 call 72a6950 654->688 661 72a655f-72a6577 call 72a4ecc 655->661 662 72a658c-72a6590 655->662 666 72a6805-72a6812 658->666 663 72a67fe 659->663 664 72a67f7-72a67fd 659->664 675 72a6579-72a657a 661->675 676 72a657c-72a658a 661->676 662->654 663->666 664->663 670 72a65c8-72a65ed 678 72a65ef-72a6604 670->678 679 72a6633 670->679 675->676 676->661 676->662 678->679 682 72a6606-72a6629 678->682 679->620 682->679 686 72a662b 682->686 686->679 687->670 688->670
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1801635811.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_72a0000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Hbq$Hbq
                                                                                                              • API String ID: 0-4258043069
                                                                                                              • Opcode ID: 945ca3cc818b251e094ab57af83df2f1e4a42e3e409b6e0e51153f2547078047
                                                                                                              • Instruction ID: 89dbaf2f14f166a59fbf40637d168b8e3c02fdbcf98ad8d606db2503592dccf9
                                                                                                              • Opcode Fuzzy Hash: 945ca3cc818b251e094ab57af83df2f1e4a42e3e409b6e0e51153f2547078047
                                                                                                              • Instruction Fuzzy Hash: 72A12875A102199FCB15EFA8C5589AEBBF2FF89350F2440A9D405AB360CB35ED41CFA1
                                                                                                              Function 073B54AC Relevance: 1.8, APIs: 1, Instructions: 251processCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073B56EE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1802997771.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_73b0000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 963392458-0
                                                                                                              • Opcode ID: 54e36a0984bb4b84e64c0932a92c335c69efeba203a131b7ca9da9ac67d6ae20
                                                                                                              • Instruction ID: 89e5ae83d29c383708ce1217ed144be5ed07dcafdf1449c30b5fe5036c8a5383
                                                                                                              • Opcode Fuzzy Hash: 54e36a0984bb4b84e64c0932a92c335c69efeba203a131b7ca9da9ac67d6ae20
                                                                                                              • Instruction Fuzzy Hash: 6AA190B1D0025ADFEF20DF68C8417DDBBB2BF48310F1485AAE849A7640DB749995CF92
                                                                                                              Function 073B54B8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073B56EE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1802997771.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_73b0000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 963392458-0
                                                                                                              • Opcode ID: 4cf68c60137a5b439eb1d957b64c911f433b72881f96c4ed956c4276ad120bfe
                                                                                                              • Instruction ID: b5c32a630a7790374c743450a7137becf37e0375643b54eebf3caa38b1022604
                                                                                                              • Opcode Fuzzy Hash: 4cf68c60137a5b439eb1d957b64c911f433b72881f96c4ed956c4276ad120bfe
                                                                                                              • Instruction Fuzzy Hash: 7A918FB1D0025ADFEF20DF68C8417DDBBB2BF48310F1485AAE809A7640DB749995CF92
                                                                                                              Function 0174AE59 Relevance: 1.7, APIs: 1, Instructions: 236COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0174B0BE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1792133113.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_1740000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: HandleModule
                                                                                                              • String ID:
                                                                                                              • API String ID: 4139908857-0
                                                                                                              • Opcode ID: 2694e787573d1ebcb57dac2d64d60267a0d60649b59eb54e4351dfa3a6c5a2a9
                                                                                                              • Instruction ID: d8dae63a24cd20a3f75f6a5b584e9d965db81961065b00a07734730a151b2a98
                                                                                                              • Opcode Fuzzy Hash: 2694e787573d1ebcb57dac2d64d60267a0d60649b59eb54e4351dfa3a6c5a2a9
                                                                                                              • Instruction Fuzzy Hash: 4C9166B0A00B458FE725DF29D45479ABBF1FF88300F008A6ED59ACBA51D735E849CB90
                                                                                                              Function 017444E0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 017459C9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1792133113.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_1740000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Create
                                                                                                              • String ID:
                                                                                                              • API String ID: 2289755597-0
                                                                                                              • Opcode ID: f6259e05a3006c04819e27663799c97b1ea9cc6deaf644a3274c2287a9aaa6ed
                                                                                                              • Instruction ID: 3b5138e190275443d7bef02094eddbd6cd4fa30e69def1b17a9cd10f15d536bf
                                                                                                              • Opcode Fuzzy Hash: f6259e05a3006c04819e27663799c97b1ea9cc6deaf644a3274c2287a9aaa6ed
                                                                                                              • Instruction Fuzzy Hash: CF41DFB0D00719CFDB24DFA9C884A9EFBB5BF49304F2480AAD418AB255DB756985CF90
                                                                                                              Function 0174590D Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 017459C9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1792133113.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_1740000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Create
                                                                                                              • String ID:
                                                                                                              • API String ID: 2289755597-0
                                                                                                              • Opcode ID: 0f534a0eadce522a5140d29f17a8d925de5e3c449e80f39ba933d5fca7ba5b34
                                                                                                              • Instruction ID: 509be19615cc7ed66444a58e5e8ff7d5cdf2a9cae4ae015791341900865c662f
                                                                                                              • Opcode Fuzzy Hash: 0f534a0eadce522a5140d29f17a8d925de5e3c449e80f39ba933d5fca7ba5b34
                                                                                                              • Instruction Fuzzy Hash: 8F41E0B0C00719CFDB24DFA9C884ADEFBB5BF49304F24806AD408AB255DB755989CF90
                                                                                                              Function 0778BC80 Relevance: 1.6, APIs: 1, Instructions: 77COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0778BC6D,?,?), ref: 0778BD1F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1803162725.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7780000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DrawText
                                                                                                              • String ID:
                                                                                                              • API String ID: 2175133113-0
                                                                                                              • Opcode ID: 048c660c86ac7e9326fe1718daf2030b4807d6b5584c5fcef04cf09d0eed7870
                                                                                                              • Instruction ID: 0564ce8a48b21f94fdeb9ff6a719e529ac430fa40636fe03a7cb702b3c0cbdcd
                                                                                                              • Opcode Fuzzy Hash: 048c660c86ac7e9326fe1718daf2030b4807d6b5584c5fcef04cf09d0eed7870
                                                                                                              • Instruction Fuzzy Hash: F031F2B59003099FDB10DF9AD8846DEBBF5FF48320F14842AE819A7320D775A944CFA0
                                                                                                              Function 073B5228 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 073B52C0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1802997771.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_73b0000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MemoryProcessWrite
                                                                                                              • String ID:
                                                                                                              • API String ID: 3559483778-0
                                                                                                              • Opcode ID: 3184f32e811337703393818bd9a7271a5b2789aac7f2f302db994c41180a5489
                                                                                                              • Instruction ID: 018e94124324803b4846e571a036c34645103e0cba7aed7af624827937a900e4
                                                                                                              • Opcode Fuzzy Hash: 3184f32e811337703393818bd9a7271a5b2789aac7f2f302db994c41180a5489
                                                                                                              • Instruction Fuzzy Hash: 932148B19003599FDB10DFA9C881BDEBBF5FF48310F10842AE958A7250D778A595CFA4
                                                                                                              Function 0778A4EC Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0778BC6D,?,?), ref: 0778BD1F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1803162725.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7780000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DrawText
                                                                                                              • String ID:
                                                                                                              • API String ID: 2175133113-0
                                                                                                              • Opcode ID: 530d917b87ccd7f716e09c9025860d7c4fd6ab3bb0e9c7a34f838080e1af2462
                                                                                                              • Instruction ID: 98badc04405c3cde947efc723896f814a9c6f872c813536d4437c5b5c0a8568a
                                                                                                              • Opcode Fuzzy Hash: 530d917b87ccd7f716e09c9025860d7c4fd6ab3bb0e9c7a34f838080e1af2462
                                                                                                              • Instruction Fuzzy Hash: FF31E2B59003099FDB10DF9AD884AAEBBF4FB58310F14842AE819A7220D775A944CFA0
                                                                                                              Function 073B5230 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 073B52C0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1802997771.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_73b0000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MemoryProcessWrite
                                                                                                              • String ID:
                                                                                                              • API String ID: 3559483778-0
                                                                                                              • Opcode ID: ce5067f5b68b82f4342d5ce3cd682d5c25af41ec9627f5e310fe7a83c510ada1
                                                                                                              • Instruction ID: 89e5f338393335daa7b4879709a7179b7f320c6881f72c4119347baff94743b4
                                                                                                              • Opcode Fuzzy Hash: ce5067f5b68b82f4342d5ce3cd682d5c25af41ec9627f5e310fe7a83c510ada1
                                                                                                              • Instruction Fuzzy Hash: D22136B19003599FDB10DFAAC885BDEBBF5FF48310F10842AE958A7250C778A954CFA4
                                                                                                              Function 073B5318 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 073B53A0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1802997771.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_73b0000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MemoryProcessRead
                                                                                                              • String ID:
                                                                                                              • API String ID: 1726664587-0
                                                                                                              • Opcode ID: 7514d4618ef97797c1ca260a54266f95f97880d1876284408b9cd680e27dbf0d
                                                                                                              • Instruction ID: c0525d4c1706ebfff575603f8f55ff28d8bec35fba47fb4830b5c27842e9aede
                                                                                                              • Opcode Fuzzy Hash: 7514d4618ef97797c1ca260a54266f95f97880d1876284408b9cd680e27dbf0d
                                                                                                              • Instruction Fuzzy Hash: 0C2157B18002599FCB10CFAAC880AEEFBF4FF48320F10842AE958A7250C7759545CFA5
                                                                                                              Function 073B4820 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 073B48A6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1802997771.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_73b0000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ContextThreadWow64
                                                                                                              • String ID:
                                                                                                              • API String ID: 983334009-0
                                                                                                              • Opcode ID: 397ec3ceb1469956a1d16be9a2bae8cd268ed2b2897b50be12e63c367894e50b
                                                                                                              • Instruction ID: 02ae9c2f3a6a8e6048e9b957be5af2f7c4a164b2e764d9d86522bb4b3d6db29b
                                                                                                              • Opcode Fuzzy Hash: 397ec3ceb1469956a1d16be9a2bae8cd268ed2b2897b50be12e63c367894e50b
                                                                                                              • Instruction Fuzzy Hash: AF2178B1D002499FDB10DFAAC4857EEBFF4EF48324F14842AD558A7241CB799985CFA4
                                                                                                              Function 073B5320 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 073B53A0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1802997771.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_73b0000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MemoryProcessRead
                                                                                                              • String ID:
                                                                                                              • API String ID: 1726664587-0
                                                                                                              • Opcode ID: bcb51672942deb1f87c5c35907828159ccbd472c359207c0adc45de5cf1cbe24
                                                                                                              • Instruction ID: b35c9b60d58de711a1e6c152c7e19d301ce9989b9840f841b976089898212500
                                                                                                              • Opcode Fuzzy Hash: bcb51672942deb1f87c5c35907828159ccbd472c359207c0adc45de5cf1cbe24
                                                                                                              • Instruction Fuzzy Hash: B62128B1C002599FDB10DFAAC880BDEFBF5FF48310F10842AE558A7250C7799554CBA4
                                                                                                              Function 073B4828 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 073B48A6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1802997771.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_73b0000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ContextThreadWow64
                                                                                                              • String ID:
                                                                                                              • API String ID: 983334009-0
                                                                                                              • Opcode ID: 70f807b95030927028ecbfb6e2d47500a3218c69016ba0f3ffce25ee01d627e8
                                                                                                              • Instruction ID: ce146a44cb475bf84bd67785dc5ac2d5a9b0f307e4602f5ebb2c809495732fb0
                                                                                                              • Opcode Fuzzy Hash: 70f807b95030927028ecbfb6e2d47500a3218c69016ba0f3ffce25ee01d627e8
                                                                                                              • Instruction Fuzzy Hash: 8D2138B1D002498FDB10DFAAC4857EEBBF4EF88324F14842AD559A7241C7799984CFA4
                                                                                                              Function 0174D740 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0174D7C7
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1792133113.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_1740000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DuplicateHandle
                                                                                                              • String ID:
                                                                                                              • API String ID: 3793708945-0
                                                                                                              • Opcode ID: 02d70c53f54fa310e5c53353adcbdf62cf84dff34b61665132e30d5e3f3a573a
                                                                                                              • Instruction ID: 7b810c91694206e7b53c821762c0a16d9e4d67b401621ba6f7949e5d5b0cc5ad
                                                                                                              • Opcode Fuzzy Hash: 02d70c53f54fa310e5c53353adcbdf62cf84dff34b61665132e30d5e3f3a573a
                                                                                                              • Instruction Fuzzy Hash: 2121C4B59002589FDB10CF9AD584ADEFFF8FB48320F14841AE958A7350D375A944CFA5
                                                                                                              Function 0174D738 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0174D7C7
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1792133113.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_1740000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DuplicateHandle
                                                                                                              • String ID:
                                                                                                              • API String ID: 3793708945-0
                                                                                                              • Opcode ID: 0d28e1db50ded27a2a3dfbbcecc183472635c7db07de515bf0bab0a0177babe7
                                                                                                              • Instruction ID: 952a6aaf0a61f050f724ed96f08892298fe1c0dcbbaee4bc89a0c098162f398a
                                                                                                              • Opcode Fuzzy Hash: 0d28e1db50ded27a2a3dfbbcecc183472635c7db07de515bf0bab0a0177babe7
                                                                                                              • Instruction Fuzzy Hash: 9521E3B59002489FDB11CFA9D984ADEBFF4EB08320F14841AE958A7250D374A940CF64
                                                                                                              Function 073B5168 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 073B51DE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1802997771.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_73b0000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 4275171209-0
                                                                                                              • Opcode ID: a2b05f438bcc867810f9d824430381428ec7de5e8b3a1f72008e7de2a0500fa1
                                                                                                              • Instruction ID: afdaf993bf462b895222b6cd97b8b83b0feeb5a81e488b0f6fab9170c5047411
                                                                                                              • Opcode Fuzzy Hash: a2b05f438bcc867810f9d824430381428ec7de5e8b3a1f72008e7de2a0500fa1
                                                                                                              • Instruction Fuzzy Hash: A3116AB18002499FDB20DFA9C8447DEBFF5EB88324F148419D559A7250C775A540CFA0
                                                                                                              Function 073B5170 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 073B51DE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1802997771.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_73b0000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 4275171209-0
                                                                                                              • Opcode ID: 44b7202b96c29a93220514da78d4879cecf0f024e23c91cbba7108e6c2d5ecf0
                                                                                                              • Instruction ID: 13c3174ac595b8c2a4826f0249aa7ecefb316bf1bb7e4b9dacb98119b7895dde
                                                                                                              • Opcode Fuzzy Hash: 44b7202b96c29a93220514da78d4879cecf0f024e23c91cbba7108e6c2d5ecf0
                                                                                                              • Instruction Fuzzy Hash: 2E1137B19002499FDF20DFAAC844BDEBFF5EF88324F108419E559A7250C775A554CFA4
                                                                                                              Function 073B433F Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1802997771.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_73b0000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ResumeThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 947044025-0
                                                                                                              • Opcode ID: 6285ca02c681e2a4d2af17a75e902a2c6ba44035f0c141bf89447d2bf5ab2968
                                                                                                              • Instruction ID: a1d0a415293fbf078897b9bfed42e889c099e3da95811616e80a4b3612a15a2c
                                                                                                              • Opcode Fuzzy Hash: 6285ca02c681e2a4d2af17a75e902a2c6ba44035f0c141bf89447d2bf5ab2968
                                                                                                              • Instruction Fuzzy Hash: 7D1158B19002488BDB20DFAAC4457DEFBF4EB88324F24841AD519A7250CA35A544CFA4
                                                                                                              Function 073B4340 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1802997771.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_73b0000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ResumeThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 947044025-0
                                                                                                              • Opcode ID: ccb824fb530594c8e30ca60ccdb6eae6d4dda0da5d0a14c4e392873b350706bb
                                                                                                              • Instruction ID: db1a8f140f03bbeb55cb132ae2a1ce681f6a30ee13047731f8124b0ffd5caa53
                                                                                                              • Opcode Fuzzy Hash: ccb824fb530594c8e30ca60ccdb6eae6d4dda0da5d0a14c4e392873b350706bb
                                                                                                              • Instruction Fuzzy Hash: 251125B19002598BDB20DFAAC4457DEFBF4EB88324F24842AD559A7250CA79A944CFA4
                                                                                                              Function 073B8929 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 073B898D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1802997771.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_73b0000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessagePost
                                                                                                              • String ID:
                                                                                                              • API String ID: 410705778-0
                                                                                                              • Opcode ID: 4ddb4fb89703d9e30f6191133779ffd5b75996e98aebb364fa33f5b292687857
                                                                                                              • Instruction ID: 4f5fc8728c1f31a489d9d92ed0da0d8f8eadc5245b860404c2d175e57645bf62
                                                                                                              • Opcode Fuzzy Hash: 4ddb4fb89703d9e30f6191133779ffd5b75996e98aebb364fa33f5b292687857
                                                                                                              • Instruction Fuzzy Hash: 5C1122B5800249DFDB20DF9AD885BDEFFF8EB48320F10845AE558A7600C375A584CFA5
                                                                                                              Function 0174B058 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0174B0BE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1792133113.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_1740000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: HandleModule
                                                                                                              • String ID:
                                                                                                              • API String ID: 4139908857-0
                                                                                                              • Opcode ID: f661f1eb8f58ecc134f76e276c649076bae07bce76796a4a79f53fd541fef660
                                                                                                              • Instruction ID: 3338a55fcc2d7b9e57996428bfeb8a2c488627608f7591015148226a7bb24c93
                                                                                                              • Opcode Fuzzy Hash: f661f1eb8f58ecc134f76e276c649076bae07bce76796a4a79f53fd541fef660
                                                                                                              • Instruction Fuzzy Hash: 561110B5C002498FDB10CF9AC444BDEFBF8EF88324F10842AD528A7210D379A545CFA1
                                                                                                              Function 073B6820 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 073B898D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1802997771.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_73b0000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessagePost
                                                                                                              • String ID:
                                                                                                              • API String ID: 410705778-0
                                                                                                              • Opcode ID: 1174b4a81e25e9783cc7d6cd4278a3567f108d767b6058e42dfa077649fadc13
                                                                                                              • Instruction ID: 1a12ab148f0af6338c05620c9ad93eb64c73103787e1a6cffc15f36bd3754a19
                                                                                                              • Opcode Fuzzy Hash: 1174b4a81e25e9783cc7d6cd4278a3567f108d767b6058e42dfa077649fadc13
                                                                                                              • Instruction Fuzzy Hash: CA11F2B58003499FDB20DF9AD884BDEBBF8EB58320F10841AE558A7610C375A984CFA5
                                                                                                              Function 016DD4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1790674853.00000000016DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DD000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_16dd000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4d34628c2ebd1e792379c031cefe489a1f93fbe324a3bbb5612f9d277a05797e
                                                                                                              • Instruction ID: 958162c9dc48d9c7104da6b74c52686f1bfc2314bbacedfa2f0b3b7bf1760a51
                                                                                                              • Opcode Fuzzy Hash: 4d34628c2ebd1e792379c031cefe489a1f93fbe324a3bbb5612f9d277a05797e
                                                                                                              • Instruction Fuzzy Hash: 08210371940240EFDB05EF58DDC0B2ABF65FB88318F60C569E9090B296C336D456CBA1
                                                                                                              Function 016DD3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1790674853.00000000016DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DD000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_16dd000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0b00996b04c2c030edd8b08c972eca81c0a218b471763c009ff91df22c80a900
                                                                                                              • Instruction ID: c10a45c7336bd9ae39659acdfbbe7972b5cdb0fdce43d82dd56357dba446f3f9
                                                                                                              • Opcode Fuzzy Hash: 0b00996b04c2c030edd8b08c972eca81c0a218b471763c009ff91df22c80a900
                                                                                                              • Instruction Fuzzy Hash: 99212871901204DFDB15EF58DDC0B6ABF65FB94324F20C16DD9094B396C336E456C6A1
                                                                                                              Function 016ED01C Relevance: .1, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1790958165.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_16ed000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e4b175ac70aee258778548af68851cdd28eeabdfd764128b9c45fe4ebf11e147
                                                                                                              • Instruction ID: dba0298f71c02142553bef4adc3da80167892edad3107ab5dbb464571fc4f611
                                                                                                              • Opcode Fuzzy Hash: e4b175ac70aee258778548af68851cdd28eeabdfd764128b9c45fe4ebf11e147
                                                                                                              • Instruction Fuzzy Hash: 7E21F271604200DFDB15DF58D988B26BFA5FB84354F28C66DD90A4B396C33AD447CA61
                                                                                                              Function 016ED1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1790958165.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_16ed000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 63004e8751d3e5a7be2807158a3ecb5af1d25e02b5a75cd906809161049a024f
                                                                                                              • Instruction ID: dba62b3aa754bccb34cf3003d45c9c2257e60173958c34524b49ee67999b3b38
                                                                                                              • Opcode Fuzzy Hash: 63004e8751d3e5a7be2807158a3ecb5af1d25e02b5a75cd906809161049a024f
                                                                                                              • Instruction Fuzzy Hash: D0210475504200EFDB05DF98DAC8B26BBE5FB84324F20C66DEA094B396C336D446CA61
                                                                                                              Function 016ED006 Relevance: .1, Instructions: 62COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1790958165.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_16ed000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4a19a076a561bf763c82a875b7658db4fb8a4a3e4c103239a167ea0af56bb638
                                                                                                              • Instruction ID: 8e4387d553dd8af31e00eae37b0c29ca81f4e59fb91c2f2b0757924da6516e25
                                                                                                              • Opcode Fuzzy Hash: 4a19a076a561bf763c82a875b7658db4fb8a4a3e4c103239a167ea0af56bb638
                                                                                                              • Instruction Fuzzy Hash: 212162755093808FDB13CF64D994715BFB1FB46214F28C6DAD8498F6A7C33A980ACB62
                                                                                                              Function 016DD4BF Relevance: .1, Instructions: 56COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1790674853.00000000016DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DD000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_16dd000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                              • Instruction ID: eb4823a4ad08cdb06fe23fb52818ec359966f4b798d335f3a1a20ae19a9f5406
                                                                                                              • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                              • Instruction Fuzzy Hash: 2911E172804280DFCB12DF54D9C4B16BF71FB84318F24C6A9D8090B256C336D45ACBA1
                                                                                                              Function 016DD3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1790674853.00000000016DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DD000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_16dd000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                              • Instruction ID: 6328c3858b1bcbf41f4be1e7373d4f3ed7b703dcac315b7a5538f1b31e40c224
                                                                                                              • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                              • Instruction Fuzzy Hash: E011DF72804240DFDB12DF44D9C4B56BF71FB94324F24C2A9D9090B296C33AE45ACBA1
                                                                                                              Function 016ED1CF Relevance: .1, Instructions: 53COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1790958165.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_16ed000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                              • Instruction ID: be7b7b679fa2916ac839d7e68788a7231e3c8a4cef4542522b25c36b78533f5f
                                                                                                              • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                              • Instruction Fuzzy Hash: 6111BB75504280DFDB02CF54C9C8B15BFA1FB84224F24C6AAD9494B396C33AD40ACB61
                                                                                                              Function 016DD745 Relevance: .0, Instructions: 45COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1790674853.00000000016DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DD000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_16dd000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2e45984aa89ebe5a69622ed1a735bf422aec763e45916130b2b9a2559d9fe38a
                                                                                                              • Instruction ID: cb82d62cdbb628302e11bf13c77e142a79382dbbbe9777fbcfbad10f994f33c1
                                                                                                              • Opcode Fuzzy Hash: 2e45984aa89ebe5a69622ed1a735bf422aec763e45916130b2b9a2559d9fe38a
                                                                                                              • Instruction Fuzzy Hash: 4001F7318083809AE7116A69CD84B77BF9CDF41324F09C5AAED080A2C6C339D841CAB1
                                                                                                              Function 016DD744 Relevance: .0, Instructions: 36COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1790674853.00000000016DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DD000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_16dd000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b08b6698655b9a55876dbd1b96aa37a889c2f6773ab9068b64de59aa948110d2
                                                                                                              • Instruction ID: 6cd697fb823d0ebad839dc5f64ae2af80bc25bd9775d310b4635946637b1120e
                                                                                                              • Opcode Fuzzy Hash: b08b6698655b9a55876dbd1b96aa37a889c2f6773ab9068b64de59aa948110d2
                                                                                                              • Instruction Fuzzy Hash: E5F062718083849AE7119E1ACC88B62FFA8EB95634F18C45AED0C5E3C6C3799844CAB1

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:12.9%
                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                              Signature Coverage:0%
                                                                                                              Total number of Nodes:17
                                                                                                              Total number of Limit Nodes:4
                                                                                                              execution_graph 24891 1160848 24892 116084e 24891->24892 24893 116091b 24892->24893 24895 1161380 24892->24895 24898 1161396 24895->24898 24896 1161480 24896->24892 24898->24896 24899 1167eb0 24898->24899 24900 1167eba 24899->24900 24901 1167ed4 24900->24901 24904 6b0fa18 24900->24904 24908 6b0fa0a 24900->24908 24901->24898 24906 6b0fa2d 24904->24906 24905 6b0fc42 24905->24901 24906->24905 24907 6b0fc58 GlobalMemoryStatusEx GlobalMemoryStatusEx 24906->24907 24907->24906 24910 6b0fa18 24908->24910 24909 6b0fc42 24909->24901 24910->24909 24911 6b0fc58 GlobalMemoryStatusEx GlobalMemoryStatusEx 24910->24911 24911->24910

                                                                                                              Executed Functions

                                                                                                              Function 06B03040 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 126 6b03040-6b03061 127 6b03063-6b03066 126->127 128 6b03807-6b0380a 127->128 129 6b0306c-6b0308b 127->129 130 6b03830-6b03832 128->130 131 6b0380c-6b0382b 128->131 139 6b030a4-6b030ae 129->139 140 6b0308d-6b03090 129->140 132 6b03834 130->132 133 6b03839-6b0383c 130->133 131->130 132->133 133->127 136 6b03842-6b0384b 133->136 144 6b030b4-6b030c3 139->144 140->139 141 6b03092-6b030a2 140->141 141->144 252 6b030c5 call 6b03860 144->252 253 6b030c5 call 6b03859 144->253 145 6b030ca-6b030cf 146 6b030d1-6b030d7 145->146 147 6b030dc-6b033b9 145->147 146->136 168 6b037f9-6b03806 147->168 169 6b033bf-6b0346e 147->169 178 6b03470-6b03495 169->178 179 6b03497 169->179 180 6b034a0-6b034b3 178->180 179->180 183 6b037e0-6b037ec 180->183 184 6b034b9-6b034db 180->184 183->169 185 6b037f2 183->185 184->183 187 6b034e1-6b034eb 184->187 185->168 187->183 188 6b034f1-6b034fc 187->188 188->183 189 6b03502-6b035d8 188->189 201 6b035e6-6b03616 189->201 202 6b035da-6b035dc 189->202 206 6b03624-6b03630 201->206 207 6b03618-6b0361a 201->207 202->201 208 6b03690-6b03694 206->208 209 6b03632-6b03636 206->209 207->206 210 6b037d1-6b037da 208->210 211 6b0369a-6b036d6 208->211 209->208 212 6b03638-6b03662 209->212 210->183 210->189 222 6b036e4-6b036f2 211->222 223 6b036d8-6b036da 211->223 219 6b03670-6b0368d 212->219 220 6b03664-6b03666 212->220 219->208 220->219 226 6b036f4-6b036ff 222->226 227 6b03709-6b03714 222->227 223->222 226->227 232 6b03701 226->232 230 6b03716-6b0371c 227->230 231 6b0372c-6b0373d 227->231 233 6b03720-6b03722 230->233 234 6b0371e 230->234 236 6b03755-6b03761 231->236 237 6b0373f-6b03745 231->237 232->227 233->231 234->231 241 6b03763-6b03769 236->241 242 6b03779-6b037ca 236->242 238 6b03747 237->238 239 6b03749-6b0374b 237->239 238->236 239->236 243 6b0376b 241->243 244 6b0376d-6b0376f 241->244 242->210 243->242 244->242 252->145 253->145
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                                                                                              • API String ID: 0-2392861976
                                                                                                              • Opcode ID: 8d8c64260e3aed9b8d27e0efad6a216c97a021d20d7ef8a272b9801d6fa06d80
                                                                                                              • Instruction ID: d3100cbdc1aef0b7d77c3fa823528d0cf04df40cb44b47d4fd8d2e6ba86c0c30
                                                                                                              • Opcode Fuzzy Hash: 8d8c64260e3aed9b8d27e0efad6a216c97a021d20d7ef8a272b9801d6fa06d80
                                                                                                              • Instruction Fuzzy Hash: 92322031E1061ACFDB14EF75C8945ADB7F6FF89300F11C6A9D409AB264EB30A985CB81
                                                                                                              Function 06B07D68 Relevance: 3.0, Strings: 2, Instructions: 476COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 795 6b07d68-6b07d86 796 6b07d88-6b07d8b 795->796 797 6b07da2-6b07da5 796->797 798 6b07d8d-6b07d9b 796->798 799 6b07dc6-6b07dc9 797->799 800 6b07da7-6b07dc1 797->800 807 6b07d9d 798->807 808 6b07e0e-6b07e24 798->808 801 6b07dd6-6b07dd9 799->801 802 6b07dcb-6b07dd5 799->802 800->799 805 6b07ddb-6b07df7 801->805 806 6b07dfc-6b07dfe 801->806 805->806 809 6b07e00 806->809 810 6b07e05-6b07e08 806->810 807->797 814 6b07e2a-6b07e33 808->814 815 6b0803f-6b08049 808->815 809->810 810->796 810->808 816 6b07e39-6b07e56 814->816 817 6b0804a-6b0807f 814->817 827 6b0802c-6b08039 816->827 828 6b07e5c-6b07e84 816->828 821 6b08081-6b08084 817->821 823 6b08086-6b080a2 821->823 824 6b080a7-6b080aa 821->824 823->824 825 6b080b0-6b080bf 824->825 826 6b082df-6b082e2 824->826 837 6b080c1-6b080dc 825->837 838 6b080de-6b08122 825->838 829 6b082e8-6b082f4 826->829 830 6b0838d-6b0838f 826->830 827->814 827->815 828->827 850 6b07e8a-6b07e93 828->850 839 6b082ff-6b08301 829->839 833 6b08391 830->833 834 6b08396-6b08399 830->834 833->834 834->821 840 6b0839f-6b083a8 834->840 837->838 852 6b082b3-6b082c9 838->852 853 6b08128-6b08139 838->853 841 6b08303-6b08309 839->841 842 6b08319-6b0831d 839->842 846 6b0830b 841->846 847 6b0830d-6b0830f 841->847 848 6b0832b 842->848 849 6b0831f-6b08329 842->849 846->842 847->842 851 6b08330-6b08332 848->851 849->851 850->817 854 6b07e99-6b07eb5 850->854 855 6b08343-6b0837c 851->855 856 6b08334-6b08337 851->856 852->826 862 6b0829e-6b082ad 853->862 863 6b0813f-6b0815c 853->863 864 6b0801a-6b08026 854->864 865 6b07ebb-6b07ee5 854->865 855->825 877 6b08382-6b0838c 855->877 856->840 862->852 862->853 863->862 874 6b08162-6b08258 call 6b06590 863->874 864->827 864->850 879 6b08010-6b08015 865->879 880 6b07eeb-6b07f13 865->880 928 6b08266 874->928 929 6b0825a-6b08264 874->929 879->864 880->879 886 6b07f19-6b07f47 880->886 886->879 892 6b07f4d-6b07f56 886->892 892->879 893 6b07f5c-6b07f8e 892->893 901 6b07f90-6b07f94 893->901 902 6b07f99-6b07fb5 893->902 901->879 903 6b07f96 901->903 902->864 904 6b07fb7-6b0800e call 6b06590 902->904 903->902 904->864 930 6b0826b-6b0826d 928->930 929->930 930->862 931 6b0826f-6b08274 930->931 932 6b08282 931->932 933 6b08276-6b08280 931->933 934 6b08287-6b08289 932->934 933->934 934->862 935 6b0828b-6b08297 934->935 935->862
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $^q$$^q
                                                                                                              • API String ID: 0-355816377
                                                                                                              • Opcode ID: 33701a2ac9dcdad86b3431579423dcacce64cf45741fe8ed56dc1cc3787a0e38
                                                                                                              • Instruction ID: 097f521481b38bc0dad815a2f66ae6b422a991799d67b7531b2bc565f14e0b9d
                                                                                                              • Opcode Fuzzy Hash: 33701a2ac9dcdad86b3431579423dcacce64cf45741fe8ed56dc1cc3787a0e38
                                                                                                              • Instruction Fuzzy Hash: 6902AD70F002158FEF54DB65D590AAEBBA2FF84314F1485A9E409DB395EB31ED82CB81
                                                                                                              Function 06B02349 Relevance: 1.0, Instructions: 1007COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3a091ed75d034a582432d0310ca1959af5eceb62f08f97f0be898e710a444307
                                                                                                              • Instruction ID: 8c50d056b074d23368f8a540d704d98ee4fd76eec3601f48d1f46dd630e91e47
                                                                                                              • Opcode Fuzzy Hash: 3a091ed75d034a582432d0310ca1959af5eceb62f08f97f0be898e710a444307
                                                                                                              • Instruction Fuzzy Hash: D1926874E002048FEB64DB68C588A5DBFF2FF44314F5494A9D44AAB3A5DB35ED89CB80
                                                                                                              Function 06B065E0 Relevance: .8, Instructions: 809COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 07a0bdc179eff96f6ef9571540c14dc9ceef1a7e4db36a6bfc1dedce002e4d81
                                                                                                              • Instruction ID: 1fa4b468e871255b6b0a2204535db3d7b23607bb35caf84a99c381506b873924
                                                                                                              • Opcode Fuzzy Hash: 07a0bdc179eff96f6ef9571540c14dc9ceef1a7e4db36a6bfc1dedce002e4d81
                                                                                                              • Instruction Fuzzy Hash: 6D628F74E002058FEB54DB68D544BADBFB2EF88314F1485A9E40ADB395EB35EC42CB80
                                                                                                              Function 06B05588 Relevance: .6, Instructions: 604COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 202880895e1d6258950eb003d9442a098906c4c9fbbb8bc3cdf90b8c8967f4d0
                                                                                                              • Instruction ID: dc48835b74057bae8f32caf77bf5d88bf323821896ed4ef81a9906adeb3e37e5
                                                                                                              • Opcode Fuzzy Hash: 202880895e1d6258950eb003d9442a098906c4c9fbbb8bc3cdf90b8c8967f4d0
                                                                                                              • Instruction Fuzzy Hash: 0922E2B2E002058FEF74DB64C5806AEBFB2EF85314F1084A9D845AB785CB31DC42CB91
                                                                                                              Function 06B0B20F Relevance: .6, Instructions: 577COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0a58be61c32da99c48126eb07d96f9e69a6adacf0f33812aa4186f9762dcad49
                                                                                                              • Instruction ID: d55b92482f549f76d3f0876be2d7ba37aaff86e2d9745d6d105faa5b05414615
                                                                                                              • Opcode Fuzzy Hash: 0a58be61c32da99c48126eb07d96f9e69a6adacf0f33812aa4186f9762dcad49
                                                                                                              • Instruction Fuzzy Hash: F4228270E101098FEF64DB69D584BAEBFA2EB45310F2099A6E409DB3D5CB36DC81CB51
                                                                                                              Function 06B0ACB8 Relevance: 10.4, Strings: 8, Instructions: 395COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 0 6b0acb8-6b0acd6 1 6b0acd8-6b0acdb 0->1 2 6b0ace5-6b0ace8 1->2 3 6b0acdd-6b0ace2 1->3 4 6b0acea-6b0ad06 2->4 5 6b0ad0b-6b0ad0e 2->5 3->2 4->5 6 6b0ad10-6b0ad14 5->6 7 6b0ad1f-6b0ad22 5->7 9 6b0aee4-6b0aeee 6->9 10 6b0ad1a 6->10 11 6b0ad24-6b0ad37 7->11 12 6b0ad3c-6b0ad3f 7->12 10->7 11->12 13 6b0ad41-6b0ad4a 12->13 14 6b0ad4f-6b0ad52 12->14 13->14 16 6b0aed5-6b0aede 14->16 17 6b0ad58-6b0ad5b 14->17 16->9 19 6b0ad5d-6b0ad66 16->19 17->19 20 6b0ad75-6b0ad78 17->20 21 6b0ad6c-6b0ad70 19->21 22 6b0aeef-6b0af01 19->22 23 6b0ad7a-6b0ad87 20->23 24 6b0ad8c-6b0ad8e 20->24 21->20 30 6b0af03-6b0af26 22->30 31 6b0aeab-6b0aecb 22->31 23->24 25 6b0ad90 24->25 26 6b0ad95-6b0ad98 24->26 25->26 26->1 29 6b0ad9e-6b0adc2 26->29 41 6b0aed2 29->41 42 6b0adc8-6b0add7 29->42 33 6b0af28-6b0af2b 30->33 31->41 34 6b0af31-6b0af6c 33->34 35 6b0b194-6b0b197 33->35 50 6b0af72-6b0af7e 34->50 51 6b0b15f-6b0b172 34->51 37 6b0b1a6-6b0b1a9 35->37 38 6b0b199 call 6b0b20f 35->38 43 6b0b1ba-6b0b1bd 37->43 44 6b0b1ab-6b0b1af 37->44 46 6b0b19f-6b0b1a1 38->46 41->16 59 6b0add9-6b0addf 42->59 60 6b0adef-6b0ae2a call 6b06590 42->60 48 6b0b1ca-6b0b1cd 43->48 49 6b0b1bf-6b0b1c9 43->49 44->34 47 6b0b1b5 44->47 46->37 47->43 55 6b0b1f0-6b0b1f2 48->55 56 6b0b1cf-6b0b1eb 48->56 67 6b0af80-6b0af99 50->67 68 6b0af9e-6b0afe2 50->68 52 6b0b174 51->52 63 6b0b175 52->63 57 6b0b1f4 55->57 58 6b0b1f9-6b0b1fc 55->58 56->55 57->58 58->33 62 6b0b202-6b0b20c 58->62 64 6b0ade1 59->64 65 6b0ade3-6b0ade5 59->65 80 6b0ae42-6b0ae59 60->80 81 6b0ae2c-6b0ae32 60->81 63->63 64->60 65->60 67->52 85 6b0afe4-6b0aff6 68->85 86 6b0affe-6b0b03d 68->86 95 6b0ae71-6b0ae82 80->95 96 6b0ae5b-6b0ae61 80->96 83 6b0ae34 81->83 84 6b0ae36-6b0ae38 81->84 83->80 84->80 85->86 90 6b0b043-6b0b11e call 6b06590 86->90 91 6b0b124-6b0b139 86->91 90->91 91->51 102 6b0ae84-6b0ae8a 95->102 103 6b0ae9a-6b0aea3 95->103 98 6b0ae63 96->98 99 6b0ae65-6b0ae67 96->99 98->95 99->95 105 6b0ae8c 102->105 106 6b0ae8e-6b0ae90 102->106 103->31 105->103 106->103
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                              • API String ID: 0-3823777903
                                                                                                              • Opcode ID: fb2e618a63704fefd3f4516410ac4add13723f83d67040cdd5e5bc8dea324197
                                                                                                              • Instruction ID: f37954eda504520616b2ef60cc6a16102bdb99b97acc72fd4d5b49b060f6b412
                                                                                                              • Opcode Fuzzy Hash: fb2e618a63704fefd3f4516410ac4add13723f83d67040cdd5e5bc8dea324197
                                                                                                              • Instruction Fuzzy Hash: 0DE18070E103198FDB69DF69D8806AEBBB2FF84304F208A69D4059B395DB71DC46CB91
                                                                                                              Function 06B0B630 Relevance: 8.0, Strings: 6, Instructions: 473COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 254 6b0b630-6b0b650 255 6b0b652-6b0b655 254->255 256 6b0b657-6b0b65e 255->256 257 6b0b66f-6b0b672 255->257 258 6b0b9d3-6b0ba0e 256->258 259 6b0b664-6b0b66a 256->259 260 6b0b682-6b0b685 257->260 261 6b0b674-6b0b67d 257->261 269 6b0ba10-6b0ba13 258->269 259->257 262 6b0b687-6b0b689 260->262 263 6b0b68c-6b0b68f 260->263 261->260 262->263 264 6b0b691-6b0b697 263->264 265 6b0b69c-6b0b69f 263->265 264->265 267 6b0b770-6b0b771 265->267 268 6b0b6a5-6b0b6a8 265->268 270 6b0b776-6b0b779 267->270 271 6b0b6c5-6b0b6c8 268->271 272 6b0b6aa-6b0b6b3 268->272 273 6b0ba19-6b0ba41 269->273 274 6b0bc7f-6b0bc82 269->274 275 6b0b77b-6b0b7c9 call 6b06590 270->275 276 6b0b7ce-6b0b7d1 270->276 280 6b0b6d8-6b0b6db 271->280 281 6b0b6ca-6b0b6d3 271->281 272->258 277 6b0b6b9-6b0b6c0 272->277 320 6b0ba43-6b0ba46 273->320 321 6b0ba4b-6b0ba8f 273->321 278 6b0bc84-6b0bca0 274->278 279 6b0bca5-6b0bca7 274->279 275->276 286 6b0b810-6b0b813 276->286 287 6b0b7d3-6b0b7e8 276->287 277->271 278->279 284 6b0bca9 279->284 285 6b0bcae-6b0bcb1 279->285 282 6b0b6eb-6b0b6ee 280->282 283 6b0b6dd-6b0b6e6 280->283 281->280 289 6b0b6f0-6b0b6f6 282->289 290 6b0b708-6b0b70b 282->290 283->282 284->285 285->269 291 6b0bcb7-6b0bcc0 285->291 293 6b0b852-6b0b855 286->293 294 6b0b815-6b0b82a 286->294 287->258 309 6b0b7ee-6b0b80b 287->309 289->258 297 6b0b6fc-6b0b703 289->297 300 6b0b71a-6b0b71d 290->300 301 6b0b70d-6b0b713 290->301 298 6b0b857-6b0b85e 293->298 299 6b0b87f-6b0b882 293->299 294->258 316 6b0b830-6b0b84d 294->316 297->290 298->258 305 6b0b864-6b0b874 298->305 310 6b0b884-6b0b8a0 299->310 311 6b0b8a5-6b0b8a8 299->311 307 6b0b72f-6b0b732 300->307 308 6b0b71f-6b0b72a 300->308 301->289 306 6b0b715 301->306 338 6b0b947-6b0b94e 305->338 339 6b0b87a 305->339 306->300 318 6b0b734-6b0b73b 307->318 319 6b0b749-6b0b74c 307->319 308->307 309->286 310->311 314 6b0b8ca-6b0b8cd 311->314 315 6b0b8aa-6b0b8c5 311->315 322 6b0b8d7-6b0b8da 314->322 323 6b0b8cf-6b0b8d2 314->323 315->314 316->293 318->258 329 6b0b741-6b0b744 318->329 330 6b0b756-6b0b759 319->330 331 6b0b74e-6b0b753 319->331 320->291 369 6b0bc74-6b0bc7e 321->369 370 6b0ba95-6b0ba9e 321->370 333 6b0b8dc-6b0b8df 322->333 334 6b0b92e-6b0b937 322->334 323->322 329->319 335 6b0b766-6b0b769 330->335 336 6b0b75b-6b0b761 330->336 331->330 344 6b0b8f0-6b0b8f3 333->344 345 6b0b8e1-6b0b8e5 333->345 334->272 340 6b0b93d 334->340 335->301 341 6b0b76b-6b0b76e 335->341 336->335 338->258 342 6b0b954-6b0b964 338->342 339->299 352 6b0b942-6b0b945 340->352 341->267 341->270 342->267 360 6b0b96a 342->360 350 6b0b903-6b0b906 344->350 351 6b0b8f5-6b0b8fe 344->351 345->283 349 6b0b8eb 345->349 349->344 350->267 357 6b0b90c-6b0b90f 350->357 351->350 352->338 354 6b0b96f-6b0b972 352->354 361 6b0b984-6b0b987 354->361 362 6b0b974 354->362 358 6b0b911-6b0b918 357->358 359 6b0b929-6b0b92c 357->359 358->258 363 6b0b91e-6b0b924 358->363 359->334 359->352 360->354 361->267 366 6b0b98d-6b0b990 361->366 371 6b0b97c-6b0b97f 362->371 363->359 367 6b0b992-6b0b999 366->367 368 6b0b9b6-6b0b9b8 366->368 367->258 372 6b0b99b-6b0b9ab 367->372 374 6b0b9ba 368->374 375 6b0b9bf-6b0b9c2 368->375 376 6b0baa4-6b0bb10 call 6b06590 370->376 377 6b0bc6a-6b0bc6f 370->377 371->361 372->298 382 6b0b9b1 372->382 374->375 375->255 378 6b0b9c8-6b0b9d2 375->378 388 6b0bb16-6b0bb1b 376->388 389 6b0bc0a-6b0bc1f 376->389 377->369 382->368 391 6b0bb37 388->391 392 6b0bb1d-6b0bb23 388->392 389->377 395 6b0bb39-6b0bb3f 391->395 393 6b0bb25-6b0bb27 392->393 394 6b0bb29-6b0bb2b 392->394 398 6b0bb35 393->398 394->398 396 6b0bb41-6b0bb47 395->396 397 6b0bb54-6b0bb61 395->397 399 6b0bbf5-6b0bc04 396->399 400 6b0bb4d 396->400 405 6b0bb63-6b0bb69 397->405 406 6b0bb79-6b0bb86 397->406 398->395 399->388 399->389 400->397 401 6b0bb88-6b0bb95 400->401 402 6b0bbbc-6b0bbc9 400->402 414 6b0bb97-6b0bb9d 401->414 415 6b0bbad-6b0bbba 401->415 411 6b0bbe1-6b0bbee 402->411 412 6b0bbcb-6b0bbd1 402->412 407 6b0bb6b 405->407 408 6b0bb6d-6b0bb6f 405->408 406->399 407->406 408->406 411->399 418 6b0bbd3 412->418 419 6b0bbd5-6b0bbd7 412->419 416 6b0bba1-6b0bba3 414->416 417 6b0bb9f 414->417 415->399 416->415 417->415 418->411 419->411
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                                                                                              • API String ID: 0-2392861976
                                                                                                              • Opcode ID: 513affa34ef6fa0cfdd9726aa8b6ba5d063b08ad3f7507a2d1d2c5e26e6a1f1b
                                                                                                              • Instruction ID: c6ed99d674736c0e921dc97f6d14bd3cd271706a0bff92b8d25e6725e2c7551b
                                                                                                              • Opcode Fuzzy Hash: 513affa34ef6fa0cfdd9726aa8b6ba5d063b08ad3f7507a2d1d2c5e26e6a1f1b
                                                                                                              • Instruction Fuzzy Hash: 18028E70E102098FEBA4DF68D580AADBFB1FB45310F2095AAE405DB395DB32DC85CB91
                                                                                                              Function 06B09138 Relevance: 5.2, Strings: 4, Instructions: 230COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 422 6b09138-6b0915d 423 6b0915f-6b09162 422->423 424 6b09a20-6b09a23 423->424 425 6b09168-6b0917d 423->425 426 6b09a25-6b09a44 424->426 427 6b09a49-6b09a4b 424->427 432 6b09195-6b091ab 425->432 433 6b0917f-6b09185 425->433 426->427 429 6b09a52-6b09a55 427->429 430 6b09a4d 427->430 429->423 434 6b09a5b-6b09a65 429->434 430->429 439 6b091b6-6b091b8 432->439 435 6b09187 433->435 436 6b09189-6b0918b 433->436 435->432 436->432 440 6b091d0-6b09241 439->440 441 6b091ba-6b091c0 439->441 452 6b09243-6b09266 440->452 453 6b0926d-6b09289 440->453 442 6b091c2 441->442 443 6b091c4-6b091c6 441->443 442->440 443->440 452->453 458 6b092b5-6b092d0 453->458 459 6b0928b-6b092ae 453->459 464 6b092d2-6b092f4 458->464 465 6b092fb-6b09316 458->465 459->458 464->465 470 6b09318-6b09334 465->470 471 6b0933b-6b09349 465->471 470->471 472 6b09359-6b093d3 471->472 473 6b0934b-6b09354 471->473 479 6b09420-6b09435 472->479 480 6b093d5-6b093f3 472->480 473->434 479->424 484 6b093f5-6b09404 480->484 485 6b0940f-6b0941e 480->485 484->485 485->479 485->480
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $^q$$^q$$^q$$^q
                                                                                                              • API String ID: 0-2125118731
                                                                                                              • Opcode ID: e3ead7162b3973d857845208419c76c1a642c8fb1fd7aa4c921fc7a887913403
                                                                                                              • Instruction ID: bc003735c0f86dfe8824cff13f3502ddd0626458501c9a80fed70578461f48c6
                                                                                                              • Opcode Fuzzy Hash: e3ead7162b3973d857845208419c76c1a642c8fb1fd7aa4c921fc7a887913403
                                                                                                              • Instruction Fuzzy Hash: F8916170F0021A9FDB54EB65D9507AEB7F6FBC8204F109569D40DEB389EB70AC428B91
                                                                                                              Function 06B0CF28 Relevance: 4.5, Strings: 3, Instructions: 797COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 488 6b0cf28-6b0cf43 489 6b0cf45-6b0cf48 488->489 490 6b0cf91-6b0cf94 489->490 491 6b0cf4a-6b0cf8c 489->491 492 6b0d414-6b0d420 490->492 493 6b0cf9a-6b0cf9d 490->493 491->490 494 6b0d122-6b0d131 492->494 495 6b0d426-6b0d713 492->495 496 6b0cfe6-6b0cfe9 493->496 497 6b0cf9f-6b0cfae 493->497 501 6b0d140-6b0d14c 494->501 502 6b0d133-6b0d138 494->502 701 6b0d719-6b0d71f 495->701 702 6b0d93a-6b0d944 495->702 499 6b0d032-6b0d035 496->499 500 6b0cfeb-6b0d02d 496->500 503 6b0cfb0-6b0cfb5 497->503 504 6b0cfbd-6b0cfc9 497->504 509 6b0d037-6b0d079 499->509 510 6b0d07e-6b0d081 499->510 500->499 506 6b0d152-6b0d164 501->506 507 6b0d945-6b0d97e 501->507 502->501 503->504 504->507 511 6b0cfcf-6b0cfe1 504->511 525 6b0d169-6b0d16c 506->525 524 6b0d980-6b0d983 507->524 509->510 513 6b0d083-6b0d09f 510->513 514 6b0d0a4-6b0d0a7 510->514 511->496 513->514 519 6b0d0f0-6b0d0f3 514->519 520 6b0d0a9-6b0d0eb 514->520 527 6b0d0f5-6b0d0fa 519->527 528 6b0d0fd-6b0d100 519->528 520->519 532 6b0d985-6b0d9a1 524->532 533 6b0d9a6-6b0d9a9 524->533 534 6b0d17b-6b0d17e 525->534 535 6b0d16e-6b0d170 525->535 527->528 536 6b0d102-6b0d118 528->536 537 6b0d11d-6b0d120 528->537 532->533 545 6b0d9b8-6b0d9bb 533->545 546 6b0d9ab call 6b0da9d 533->546 543 6b0d180-6b0d1c2 534->543 544 6b0d1c7-6b0d1ca 534->544 540 6b0d411 535->540 541 6b0d176 535->541 536->537 537->494 537->525 540->492 541->534 543->544 548 6b0d213-6b0d216 544->548 549 6b0d1cc-6b0d20e 544->549 554 6b0d9bd-6b0d9e9 545->554 555 6b0d9ee-6b0d9f0 545->555 559 6b0d9b1-6b0d9b3 546->559 562 6b0d225-6b0d228 548->562 563 6b0d218-6b0d21a 548->563 549->548 554->555 560 6b0d9f2 555->560 561 6b0d9f7-6b0d9fa 555->561 559->545 560->561 561->524 570 6b0d9fc-6b0da0b 561->570 573 6b0d271-6b0d274 562->573 574 6b0d22a-6b0d26c 562->574 571 6b0d220 563->571 572 6b0d2cf-6b0d2d8 563->572 593 6b0da72-6b0da87 570->593 594 6b0da0d-6b0da70 call 6b06590 570->594 571->562 579 6b0d2e7-6b0d2f3 572->579 580 6b0d2da-6b0d2df 572->580 576 6b0d276-6b0d2b8 573->576 577 6b0d2bd-6b0d2bf 573->577 574->573 576->577 583 6b0d2c1 577->583 584 6b0d2c6-6b0d2c9 577->584 586 6b0d404-6b0d409 579->586 587 6b0d2f9-6b0d30d 579->587 580->579 583->584 584->489 584->572 586->540 587->540 604 6b0d313-6b0d325 587->604 606 6b0da88 593->606 594->593 618 6b0d327-6b0d32d 604->618 619 6b0d349-6b0d34b 604->619 606->606 622 6b0d331-6b0d33d 618->622 623 6b0d32f 618->623 625 6b0d355-6b0d361 619->625 627 6b0d33f-6b0d347 622->627 623->627 635 6b0d363-6b0d36d 625->635 636 6b0d36f 625->636 627->625 638 6b0d374-6b0d376 635->638 636->638 638->540 640 6b0d37c-6b0d398 call 6b06590 638->640 649 6b0d3a7-6b0d3b3 640->649 650 6b0d39a-6b0d39f 640->650 649->586 651 6b0d3b5-6b0d402 649->651 650->649 651->540 703 6b0d721-6b0d726 701->703 704 6b0d72e-6b0d737 701->704 703->704 704->507 705 6b0d73d-6b0d750 704->705 707 6b0d756-6b0d75c 705->707 708 6b0d92a-6b0d934 705->708 709 6b0d76b-6b0d774 707->709 710 6b0d75e-6b0d763 707->710 708->701 708->702 709->507 711 6b0d77a-6b0d79b 709->711 710->709 714 6b0d7aa-6b0d7b3 711->714 715 6b0d79d-6b0d7a2 711->715 714->507 716 6b0d7b9-6b0d7d6 714->716 715->714 716->708 719 6b0d7dc-6b0d7e2 716->719 719->507 720 6b0d7e8-6b0d801 719->720 722 6b0d807-6b0d82e 720->722 723 6b0d91d-6b0d924 720->723 722->507 726 6b0d834-6b0d83e 722->726 723->708 723->719 726->507 727 6b0d844-6b0d85b 726->727 729 6b0d86a-6b0d885 727->729 730 6b0d85d-6b0d868 727->730 729->723 735 6b0d88b-6b0d8a4 call 6b06590 729->735 730->729 739 6b0d8b3-6b0d8bc 735->739 740 6b0d8a6-6b0d8ab 735->740 739->507 741 6b0d8c2-6b0d916 739->741 740->739 741->723
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $^q$$^q$$^q
                                                                                                              • API String ID: 0-831282457
                                                                                                              • Opcode ID: 4014cdd52f8a48fc74084b90870314e61c3023890d5eccaa0e9db6ce9ab22e64
                                                                                                              • Instruction ID: 50516a71b06a6d43202fca68160552e3e3fa282abc1b4bd07e8251fd03cee946
                                                                                                              • Opcode Fuzzy Hash: 4014cdd52f8a48fc74084b90870314e61c3023890d5eccaa0e9db6ce9ab22e64
                                                                                                              • Instruction Fuzzy Hash: 03625330B0021A8FDB55EB69D590A5DBBF2FF84304F109A68D0099F3A9DB71EC46CB90
                                                                                                              Function 06B04B50 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 749 6b04b50-6b04b74 750 6b04b76-6b04b79 749->750 751 6b05258-6b0525b 750->751 752 6b04b7f-6b04c77 750->752 753 6b0527c-6b0527e 751->753 754 6b0525d-6b05277 751->754 772 6b04cfa-6b04d01 752->772 773 6b04c7d-6b04cca call 6b053f8 752->773 755 6b05280 753->755 756 6b05285-6b05288 753->756 754->753 755->756 756->750 758 6b0528e-6b0529b 756->758 774 6b04d85-6b04d8e 772->774 775 6b04d07-6b04d77 772->775 786 6b04cd0-6b04cec 773->786 774->758 792 6b04d82 775->792 793 6b04d79 775->793 789 6b04cf7 786->789 790 6b04cee 786->790 789->772 790->789 792->774 793->792
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: fcq$XPcq$\Ocq
                                                                                                              • API String ID: 0-3575482020
                                                                                                              • Opcode ID: 5c0f42613614408730146e079d0e4ef6a042f8d96de1ffaac1874646da4c3cf9
                                                                                                              • Instruction ID: f56fc9f6ab8e71a37d4ecb3f14d2f1d7571c4950c653d09d3cc15ac7b9e7393e
                                                                                                              • Opcode Fuzzy Hash: 5c0f42613614408730146e079d0e4ef6a042f8d96de1ffaac1874646da4c3cf9
                                                                                                              • Instruction Fuzzy Hash: 2C61AF70E002199FEF559FA8C8547AEBEF6FF88300F208529D506AB395DB758C058B91
                                                                                                              Function 06B09127 Relevance: 2.7, Strings: 2, Instructions: 156COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1711 6b09127-6b0915d 1712 6b0915f-6b09162 1711->1712 1713 6b09a20-6b09a23 1712->1713 1714 6b09168-6b0917d 1712->1714 1715 6b09a25-6b09a44 1713->1715 1716 6b09a49-6b09a4b 1713->1716 1721 6b09195-6b091ab 1714->1721 1722 6b0917f-6b09185 1714->1722 1715->1716 1718 6b09a52-6b09a55 1716->1718 1719 6b09a4d 1716->1719 1718->1712 1723 6b09a5b-6b09a65 1718->1723 1719->1718 1728 6b091b6-6b091b8 1721->1728 1724 6b09187 1722->1724 1725 6b09189-6b0918b 1722->1725 1724->1721 1725->1721 1729 6b091d0-6b09241 1728->1729 1730 6b091ba-6b091c0 1728->1730 1741 6b09243-6b09266 1729->1741 1742 6b0926d-6b09289 1729->1742 1731 6b091c2 1730->1731 1732 6b091c4-6b091c6 1730->1732 1731->1729 1732->1729 1741->1742 1747 6b092b5-6b092d0 1742->1747 1748 6b0928b-6b092ae 1742->1748 1753 6b092d2-6b092f4 1747->1753 1754 6b092fb-6b09316 1747->1754 1748->1747 1753->1754 1759 6b09318-6b09334 1754->1759 1760 6b0933b-6b09349 1754->1760 1759->1760 1761 6b09359-6b093d3 1760->1761 1762 6b0934b-6b09354 1760->1762 1768 6b09420-6b09435 1761->1768 1769 6b093d5-6b093f3 1761->1769 1762->1723 1768->1713 1773 6b093f5-6b09404 1769->1773 1774 6b0940f-6b0941e 1769->1774 1773->1774 1774->1768 1774->1769
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $^q$$^q
                                                                                                              • API String ID: 0-355816377
                                                                                                              • Opcode ID: bbe317f82cb6ae0bfec74b28c584a87ab2b1238b4e344a8ba273b753c2309f51
                                                                                                              • Instruction ID: 9c9f5233038f371561d69f99075cc373c8a0d5ac84e03c7f19374e66d07db387
                                                                                                              • Opcode Fuzzy Hash: bbe317f82cb6ae0bfec74b28c584a87ab2b1238b4e344a8ba273b753c2309f51
                                                                                                              • Instruction Fuzzy Hash: 41517070F002159FEB54EB65D990BAEB7F6EB88600F109569D40DDB3C9EB30AC42CB95
                                                                                                              Function 0116EB38 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 2237 116eb38-116eb40 2238 116eb42-116eb53 2237->2238 2239 116eaff-116eb18 call 116eb38 2237->2239 2241 116eb55-116eb7c 2238->2241 2242 116eb7d-116eb93 2238->2242 2244 116eb1e-116eb22 2239->2244 2268 116eb95 call 116ec20 2242->2268 2269 116eb95 call 116eb38 2242->2269 2246 116eb24-116eb29 2244->2246 2247 116eb2b-116eb2e 2244->2247 2249 116eb31-116eb33 2246->2249 2247->2249 2248 116eb9a-116eb9c 2250 116eba2-116ec01 2248->2250 2251 116eb9e-116eba1 2248->2251 2258 116ec07-116ec94 GlobalMemoryStatusEx 2250->2258 2259 116ec03-116ec06 2250->2259 2263 116ec96-116ec9c 2258->2263 2264 116ec9d-116ecc5 2258->2264 2263->2264 2268->2248 2269->2248
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2965870415.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_1160000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7c7e20deba295d1ae11a427b962a03c7e1f3914aae82a6e1c023e3bcdbeef955
                                                                                                              • Instruction ID: f69d8859704e404f861518d03039a8a37ac3aa0b1bb109ce5a7173fae9dcecda
                                                                                                              • Opcode Fuzzy Hash: 7c7e20deba295d1ae11a427b962a03c7e1f3914aae82a6e1c023e3bcdbeef955
                                                                                                              • Instruction Fuzzy Hash: DC514472D013589FDB18DF79D8047DEBFF9AF89210F14856AD509A7281DB349841CBE1
                                                                                                              Function 0116EC20 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 2270 116ec20-116ec94 GlobalMemoryStatusEx 2272 116ec96-116ec9c 2270->2272 2273 116ec9d-116ecc5 2270->2273 2272->2273
                                                                                                              APIs
                                                                                                              • GlobalMemoryStatusEx.KERNELBASE ref: 0116EC87
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2965870415.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_1160000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: GlobalMemoryStatus
                                                                                                              • String ID:
                                                                                                              • API String ID: 1890195054-0
                                                                                                              • Opcode ID: 9388f97f5a14672ce4e59c08de74d0b91b74e3910b5af5e72460e1fc5aedb726
                                                                                                              • Instruction ID: 5a48be714223b838a014c285bbae60d44683b647f06591658cb2ad910d8cb4ba
                                                                                                              • Opcode Fuzzy Hash: 9388f97f5a14672ce4e59c08de74d0b91b74e3910b5af5e72460e1fc5aedb726
                                                                                                              • Instruction Fuzzy Hash: D61120B1C00269DBCB10CF9AC544BDEFBF8AF48320F10812AD818B7240D378A944CFA5
                                                                                                              Function 06B04B40 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: XPcq
                                                                                                              • API String ID: 0-714321711
                                                                                                              • Opcode ID: df4e6a31b1ef43e11747ab05ef89e9b9d10f4800f826d312f3718fdfaae804ba
                                                                                                              • Instruction ID: 7e5d0703c57100e61e408816e9bc343ff42a03b4b185a8d879d75cc6b4a9147a
                                                                                                              • Opcode Fuzzy Hash: df4e6a31b1ef43e11747ab05ef89e9b9d10f4800f826d312f3718fdfaae804ba
                                                                                                              • Instruction Fuzzy Hash: A1418E70E102199FEB599FA8C8547AEBBF2BF88700F20852AE145AB395DB708C05CB51
                                                                                                              Function 06B0DA9D Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: PH^q
                                                                                                              • API String ID: 0-2549759414
                                                                                                              • Opcode ID: 15ec7caa0c801cacd85622427aeaf708dd927b0a258edd19e09d0527f4642db6
                                                                                                              • Instruction ID: 20e11230a596874ad7d299a08572b54556e63d3349f7a780f6eb6255ed46d209
                                                                                                              • Opcode Fuzzy Hash: 15ec7caa0c801cacd85622427aeaf708dd927b0a258edd19e09d0527f4642db6
                                                                                                              • Instruction Fuzzy Hash: DC41AF70E0030A9FEB65DFA5C44469EBFB2FF85200F204669E416EB2C4DB75D846CB91
                                                                                                              Function 06B021D0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: PH^q
                                                                                                              • API String ID: 0-2549759414
                                                                                                              • Opcode ID: b6843ccd558a57f99a9683fe5538433b22486cb8e3ec40590106c338d8c9fe68
                                                                                                              • Instruction ID: 7e8e8bd1c0a150d34b6a29515156626c7a6609d47dd27b9919a2174f2b96cff0
                                                                                                              • Opcode Fuzzy Hash: b6843ccd558a57f99a9683fe5538433b22486cb8e3ec40590106c338d8c9fe68
                                                                                                              • Instruction Fuzzy Hash: BD311470F102058FEB699BB4C51866E7FE2EB89200F108578D006DB394DF35DD49C7A1
                                                                                                              Function 06B082DE Relevance: 1.3, Strings: 1, Instructions: 30COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $^q
                                                                                                              • API String ID: 0-388095546
                                                                                                              • Opcode ID: 34d495f1432f63fa55557afc8f1957e6b510aa757efbd04b5d9b739ba4eaa24a
                                                                                                              • Instruction ID: a85c7c0cd85164f990c37304173cc183870e56874b2ebcc6f01788a2f0a56b39
                                                                                                              • Opcode Fuzzy Hash: 34d495f1432f63fa55557afc8f1957e6b510aa757efbd04b5d9b739ba4eaa24a
                                                                                                              • Instruction Fuzzy Hash: 2EF0A076E14211CFFFB85A42A8506B87FA4E788224B0415E2FD08CB1D5CB31DB00C690
                                                                                                              Function 06B0C170 Relevance: .6, Instructions: 645COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6f1e563e88bebbd35e81ea39421881ae2eca8620cd7cd898083388e447561f64
                                                                                                              • Instruction ID: 1271cd5b69cb22bc1cc2b9b5ad176617989187c0f3e2d8238d80e91259a9a089
                                                                                                              • Opcode Fuzzy Hash: 6f1e563e88bebbd35e81ea39421881ae2eca8620cd7cd898083388e447561f64
                                                                                                              • Instruction Fuzzy Hash: 1132A174F102198FEB54DB68D980AADBFB2FB88314F108665E409D7395DB31EC46CB91
                                                                                                              Function 06B061E0 Relevance: .2, Instructions: 229COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d074bd8e3d4ea4d51a9760bfd32cb1578998a3416663f5c17c7e567901822d12
                                                                                                              • Instruction ID: b13c11c8386baf00bb08578984ee8460884dc40834d86f3cb2aa3ee95936aebb
                                                                                                              • Opcode Fuzzy Hash: d074bd8e3d4ea4d51a9760bfd32cb1578998a3416663f5c17c7e567901822d12
                                                                                                              • Instruction Fuzzy Hash: 9D61AFB1F000214FDB549A7EC88466FAED7EFC4610B15447AD80EDB364EE65ED0287C2
                                                                                                              Function 06B04280 Relevance: .2, Instructions: 222COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: eb19232b4425b0f96f3e47287d626ca1cdea69568d3e2eee5a0bcb2153a0e4b8
                                                                                                              • Instruction ID: 8e3b5057422faf8cf4473eacd6533f8f1089cedfbbac81cfe795c3040c6e431b
                                                                                                              • Opcode Fuzzy Hash: eb19232b4425b0f96f3e47287d626ca1cdea69568d3e2eee5a0bcb2153a0e4b8
                                                                                                              • Instruction Fuzzy Hash: 51818C70F102099FDF54DBA9D5546AEBBF2EF89304F108568D50ADB394EB31EC428B51
                                                                                                              Function 06B045A0 Relevance: .2, Instructions: 221COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 73fd0c7e695253e6378fe4f353d9a16849004deab24b01aaa3b1b3f66281f6b9
                                                                                                              • Instruction ID: b382659e2a695ef0ded30d71763d94866502c8df1a01b84b8626be0ec18a1e83
                                                                                                              • Opcode Fuzzy Hash: 73fd0c7e695253e6378fe4f353d9a16849004deab24b01aaa3b1b3f66281f6b9
                                                                                                              • Instruction Fuzzy Hash: EF917170E102198FDF50DF64C880B9DBBB1FF89304F208695D549EB295DB70AA85CF91
                                                                                                              Function 06B045B8 Relevance: .2, Instructions: 210COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 078531e5cbd02a8fcbfaa4b6fd196abef5018da0f4d96b8b844a7696bc627fd1
                                                                                                              • Instruction ID: 6f7e5efcf24313d71cc06970718a0b242774b964b3d782eff18fe77059e7d366
                                                                                                              • Opcode Fuzzy Hash: 078531e5cbd02a8fcbfaa4b6fd196abef5018da0f4d96b8b844a7696bc627fd1
                                                                                                              • Instruction Fuzzy Hash: DA915070E102198FDF64DF68C880B9DBBB1FF89304F208695D549AB295DB70A985CF91
                                                                                                              Function 06B0EEF0 Relevance: .2, Instructions: 206COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1cd0a6cf507cdd69a717efd4c2ce410f0da2c5d70022aa37e316dd709c381bf8
                                                                                                              • Instruction ID: 884858de8ceda802a4de743c6076cec5b625c17d20c0323a85db86d545228ad9
                                                                                                              • Opcode Fuzzy Hash: 1cd0a6cf507cdd69a717efd4c2ce410f0da2c5d70022aa37e316dd709c381bf8
                                                                                                              • Instruction Fuzzy Hash: 88711C70F002099FDB54DBA9D980AADBFFAFF88304F148569E415EB295DB70E846CB50
                                                                                                              Function 06B0EF00 Relevance: .2, Instructions: 201COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 796fe3c0864ff158cae5c1316452046d3cc958c01d12af139c9add0f113aea79
                                                                                                              • Instruction ID: 9e2670c4cb2926232324c0cd6aa98854595cc0d032f51f1898016212e8c03eab
                                                                                                              • Opcode Fuzzy Hash: 796fe3c0864ff158cae5c1316452046d3cc958c01d12af139c9add0f113aea79
                                                                                                              • Instruction Fuzzy Hash: DB710A70B001099FDB54DBA9D980AAEBBFAFF88304F148569E415EB395DB70E846CB50
                                                                                                              Function 06B0FC58 Relevance: .2, Instructions: 180COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6ba950c3557c98caf50428fd5a2e888b2b49bd8b6e19c7dab7116e85d3fe89fa
                                                                                                              • Instruction ID: 4aa1db25de6cd19f37ace32564e548a2e10f033f726008fbd28c16cc38d0cdad
                                                                                                              • Opcode Fuzzy Hash: 6ba950c3557c98caf50428fd5a2e888b2b49bd8b6e19c7dab7116e85d3fe89fa
                                                                                                              • Instruction Fuzzy Hash: EE512271F00109AFEB34AB78E4446BDBFB6FB88301F1089B9E906D7290DB319855CB80
                                                                                                              Function 06B0FA0A Relevance: .2, Instructions: 166COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8d526d61543540d9e9cfde82a17fc73df3bce5b67f139d58e6ad782bd5c52e83
                                                                                                              • Instruction ID: fc64cbec4d1fb4d1059e7de5f59dabd3f4f68a73dff56db08fd8a4caf9d66ed1
                                                                                                              • Opcode Fuzzy Hash: 8d526d61543540d9e9cfde82a17fc73df3bce5b67f139d58e6ad782bd5c52e83
                                                                                                              • Instruction Fuzzy Hash: 5F51F870B102189FFF74666CD95473F2E9EE789300F20596AE80AD33D9CA69CC564792
                                                                                                              Function 06B0FA18 Relevance: .2, Instructions: 163COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f2cbb066130ceaf1e4564d0208596a5b157ed83cf6afb71c84d3e5536c510c8c
                                                                                                              • Instruction ID: b42a71d4ff809e471339e6a9434cfe528e788ac03bd2eeb4681668aac761f169
                                                                                                              • Opcode Fuzzy Hash: f2cbb066130ceaf1e4564d0208596a5b157ed83cf6afb71c84d3e5536c510c8c
                                                                                                              • Instruction Fuzzy Hash: 17512870B102189FFF74666CD95473F2E9FE789300F20592AE80AD33D9CA69CC464792
                                                                                                              Function 06B053F8 Relevance: .1, Instructions: 133COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0edd84a7d3eaaf384cadc705152801f45ef43b47a7ac2aab0a730c63fc396f80
                                                                                                              • Instruction ID: 0cd609b2bb0adb2f8133673f33ada94c9e921502ac85ce1b1b07262fe3b9d278
                                                                                                              • Opcode Fuzzy Hash: 0edd84a7d3eaaf384cadc705152801f45ef43b47a7ac2aab0a730c63fc396f80
                                                                                                              • Instruction Fuzzy Hash: 87414FB6E006099FDF70CEA9D980AAFFFB2FB44210F104969D216D7A94D330E9558F91
                                                                                                              Function 06B0D950 Relevance: .1, Instructions: 97COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 33817838dcad538b5b4a3c932f2ad4e1ec2e81049a59c70a0db4a9997fbe38ed
                                                                                                              • Instruction ID: f3ea6a8d53a9bf3d074634e0a6f328c91d2c25b7ed89e55cf07896e0ea000f3b
                                                                                                              • Opcode Fuzzy Hash: 33817838dcad538b5b4a3c932f2ad4e1ec2e81049a59c70a0db4a9997fbe38ed
                                                                                                              • Instruction Fuzzy Hash: 0831C870E1021A8FDF15DFA8C95069EBFB2FF85304F144569D405EB394DB71E8468B50
                                                                                                              Function 06B02090 Relevance: .1, Instructions: 91COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8c573df5cf9d1f790bab6a022901bde8892e7abe1aa816094df0246e459fedef
                                                                                                              • Instruction ID: d75d512176c9d14ca77515862fbfbc16e07cd72f447eba6e2df9bf28a2ac4111
                                                                                                              • Opcode Fuzzy Hash: 8c573df5cf9d1f790bab6a022901bde8892e7abe1aa816094df0246e459fedef
                                                                                                              • Instruction Fuzzy Hash: E531CF70E002199FDB59DFA4D85869EBBB2FF89300F108529E906E7384DB71ED46CB50
                                                                                                              Function 06B0208F Relevance: .1, Instructions: 91COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4eda0524312dd2365dfee9556abf9cd55a95f4f4a6ffbf557251d5e283a6da60
                                                                                                              • Instruction ID: 3204d9714235515b66485c9fc1780573d61d669ab87e16542445251caa266af3
                                                                                                              • Opcode Fuzzy Hash: 4eda0524312dd2365dfee9556abf9cd55a95f4f4a6ffbf557251d5e283a6da60
                                                                                                              • Instruction Fuzzy Hash: 0631CF70E102199FDB59DFA4D85869EBBB2FF89300F108529E906E7384DB71AD46CB50
                                                                                                              Function 06B03A80 Relevance: .1, Instructions: 84COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9ace70fcd82b9c6204bffc4baab21525baffb498351ce50b7413453706dc0210
                                                                                                              • Instruction ID: 994080229934e301b21b39d606b0949096d7f3f604311c37f3195912e5a04ae8
                                                                                                              • Opcode Fuzzy Hash: 9ace70fcd82b9c6204bffc4baab21525baffb498351ce50b7413453706dc0210
                                                                                                              • Instruction Fuzzy Hash: 17217AB5F102169FEB40DF69EC80AEEBBF5EB48610F108165E909E7281E730D8418B95
                                                                                                              Function 06B03A90 Relevance: .1, Instructions: 78COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5f113e7ba19b3f439d83630803df6b62945d6db3691eb648de0cd64092f60dcb
                                                                                                              • Instruction ID: 0aeb085a9b11f959317cf3d2e2657ddbd2975e6dabb809645cf29336691ce178
                                                                                                              • Opcode Fuzzy Hash: 5f113e7ba19b3f439d83630803df6b62945d6db3691eb648de0cd64092f60dcb
                                                                                                              • Instruction Fuzzy Hash: B021B075F002169FEB50DF69D880AAEBBF1EB48710F108165E909E7381E731DC01CB94
                                                                                                              Function 0111D030 Relevance: .1, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2965356119.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_111d000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 285b71e9c5b918f1115bd7a1fb5f9d01bcbe0d24af3877be1edc59dd10873687
                                                                                                              • Instruction ID: a68a018b199427d66719e6c8ca6f13d68ee41276579473aba7215e994f02d065
                                                                                                              • Opcode Fuzzy Hash: 285b71e9c5b918f1115bd7a1fb5f9d01bcbe0d24af3877be1edc59dd10873687
                                                                                                              • Instruction Fuzzy Hash: 0C212271604200DFCF19DF58E988B2AFBA5EB84314F20C67DD8094B25AC33AD846CA62
                                                                                                              Function 06B06D00 Relevance: .1, Instructions: 68COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d216246aea00753374cc6c567c1c23404a2b5053b645df6679f7a10e5c439a62
                                                                                                              • Instruction ID: acf586297770923ea4e6fbbfe2474ded6d52ddf6f11a1466dabb185e55d87b3b
                                                                                                              • Opcode Fuzzy Hash: d216246aea00753374cc6c567c1c23404a2b5053b645df6679f7a10e5c439a62
                                                                                                              • Instruction Fuzzy Hash: 4421D570F100199FEF94DB69E85066EBFB6EB84310F248675D405DB380EB31AC518785
                                                                                                              Function 06B03BA0 Relevance: .1, Instructions: 59COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 026f99f06b2f4d047467c951d7a0ff7f46536aa44cdfcec825930abceb4fff8c
                                                                                                              • Instruction ID: 8f3f08661d422965cf8ce3a83a47629ce3296f89e0a798e7692e0f3c12a6029a
                                                                                                              • Opcode Fuzzy Hash: 026f99f06b2f4d047467c951d7a0ff7f46536aa44cdfcec825930abceb4fff8c
                                                                                                              • Instruction Fuzzy Hash: 5F11A171F141255FEF549668DC18AAF7BEAEBC8210F01457AD40AE7384EE64DC028BD5
                                                                                                              Function 06B041E2 Relevance: .1, Instructions: 56COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e6b501e25cb128f5b4b4648e3154e1444f2c5b28e1163426b3fcb53c09451f11
                                                                                                              • Instruction ID: 22724e07b0a3f2d2cd6f30d39ebfe088e8bd26193d4695ca60c2ef83a572607a
                                                                                                              • Opcode Fuzzy Hash: e6b501e25cb128f5b4b4648e3154e1444f2c5b28e1163426b3fcb53c09451f11
                                                                                                              • Instruction Fuzzy Hash: 8D012471B141105FEBA5A6BDA80031AAFDAEBCA710F1084BAE20ECB395DE55CC434392
                                                                                                              Function 06B0A2F0 Relevance: .1, Instructions: 55COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f4a353a9f0d39779f260342fe421d00a53ecbfb6e5cbc2c29c4c21b8442e6ef5
                                                                                                              • Instruction ID: 5f033a2439a1f6132105d0836a558620cb54cb796f6f2b87592c286660923e51
                                                                                                              • Opcode Fuzzy Hash: f4a353a9f0d39779f260342fe421d00a53ecbfb6e5cbc2c29c4c21b8442e6ef5
                                                                                                              • Instruction Fuzzy Hash: F101B9B0F103101FD7B5967DE56476EBBD5EB4A754F105869E40AC73D5EA11DC0283C1
                                                                                                              Function 06B03B8F Relevance: .1, Instructions: 55COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1301a3622cd852f4ee06345d6235b8c406d04311a8303fe3cbe49493de0c1aef
                                                                                                              • Instruction ID: c77e143b68a3b2866ede4afeaae9746b6f7ba94fdc3cfbdf223b98232a83b89c
                                                                                                              • Opcode Fuzzy Hash: 1301a3622cd852f4ee06345d6235b8c406d04311a8303fe3cbe49493de0c1aef
                                                                                                              • Instruction Fuzzy Hash: 3601F571F041261BEF9496799C186EB7FEADBC5614F0440BAD80AE7284EF619C4287D2
                                                                                                              Function 06B03859 Relevance: .1, Instructions: 54COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0708cf88ce34afa350660d9f13df96b1def5842371046c5c817b9658c8ef830f
                                                                                                              • Instruction ID: 879a72c4edb25d815dc03150b81114d5cdad97f079afd9ba7f0455deab573219
                                                                                                              • Opcode Fuzzy Hash: 0708cf88ce34afa350660d9f13df96b1def5842371046c5c817b9658c8ef830f
                                                                                                              • Instruction Fuzzy Hash: A621F2B1D01219EFCB00DF9AD884ACEFFB8FB48320F10816AE518A7240C374A554CFA5
                                                                                                              Function 06B0F171 Relevance: .1, Instructions: 54COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b53d5b3ba53878de0d93464f25f761ef445cc1e0a8f8f0dee2129d58df5bcf92
                                                                                                              • Instruction ID: 45ced3fcd940a11a95a30d42db7bd03aa363928b49794c2216760497d05f3a3b
                                                                                                              • Opcode Fuzzy Hash: b53d5b3ba53878de0d93464f25f761ef445cc1e0a8f8f0dee2129d58df5bcf92
                                                                                                              • Instruction Fuzzy Hash: B101B171B101205BEB759A7DE85473E7BDAEBC9614F244479E90ACB385EA21DC034381
                                                                                                              Function 0111D02B Relevance: .1, Instructions: 53COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2965356119.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_111d000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                              • Instruction ID: d501e67a670fed5df8b19e0a9e4e1150fd6df58e6f23b57d88c6f4d20eea1c58
                                                                                                              • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                              • Instruction Fuzzy Hash: 0F11D075504280CFDB16CF58D5C4B15FF71FB84314F24C6AAD8494B656C33AD44ACB62
                                                                                                              Function 06B03860 Relevance: .1, Instructions: 52COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1ee0ee272b19d9e7674733b92ffea059a86d4ff9609820b17110c5c829aa94f7
                                                                                                              • Instruction ID: 27131001efd76fb15b7010eee1d95c455647934efeabd1faf0ec3987442d3ce1
                                                                                                              • Opcode Fuzzy Hash: 1ee0ee272b19d9e7674733b92ffea059a86d4ff9609820b17110c5c829aa94f7
                                                                                                              • Instruction Fuzzy Hash: E111C2B1D01259AFCB00DF9AD884ADEFFB4FB48310F10816AE518A7240C374A544CFA5
                                                                                                              Function 06B041F0 Relevance: .1, Instructions: 51COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6bca3c940d4cfb3218b116da7cf017832c061e0e1829cc824d352b2fd79f73c9
                                                                                                              • Instruction ID: df021bc7cb381dd13cf3a4aca2d7a9dfa1cd30e43c4ea994b6d4781c21ae0bab
                                                                                                              • Opcode Fuzzy Hash: 6bca3c940d4cfb3218b116da7cf017832c061e0e1829cc824d352b2fd79f73c9
                                                                                                              • Instruction Fuzzy Hash: CB01D171B200115FEBA4A6BDE84072BEADAEBC9720F109479E20EC7394DE61DC430395
                                                                                                              Function 06B0F180 Relevance: .0, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e0b7cab62a4209ef182a47588d21627e6a78edd2fb2c7086d528f905ad9bd849
                                                                                                              • Instruction ID: 808aa3df40fee3a9f3ac560934e304af95e2318d4d3ae9345bfb9c82564071c8
                                                                                                              • Opcode Fuzzy Hash: e0b7cab62a4209ef182a47588d21627e6a78edd2fb2c7086d528f905ad9bd849
                                                                                                              • Instruction Fuzzy Hash: 2701D1B1B100201BEBB4966DE96473F6ADAEBCD610F208439E90AC7384EE21DC030381
                                                                                                              Function 06B0A300 Relevance: .0, Instructions: 46COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2a0c14c6616b57c02fe2f46d2f581d8892ffdce5592adf9cfb4b3bf8f33b4382
                                                                                                              • Instruction ID: 69774f2605c12cc2828d5ed02a3dda3a73b7ebe992610f154217acecaed2e85e
                                                                                                              • Opcode Fuzzy Hash: 2a0c14c6616b57c02fe2f46d2f581d8892ffdce5592adf9cfb4b3bf8f33b4382
                                                                                                              • Instruction Fuzzy Hash: 79016D70B102141BDBB49A6DE564B2EBBD9E78E614F109979E50EC73C5EA21EC028381
                                                                                                              Function 06B06461 Relevance: .0, Instructions: 30COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 840e79fac287cb903ca390d11dd9b539f0e94985ebd9122fe5dc295d316e8d51
                                                                                                              • Instruction ID: e864a6e452569b2de087254aa7259a86316c479f0a870fc543ba900fd3a956d9
                                                                                                              • Opcode Fuzzy Hash: 840e79fac287cb903ca390d11dd9b539f0e94985ebd9122fe5dc295d316e8d51
                                                                                                              • Instruction Fuzzy Hash: 71E092F0E112097BFFA0CE74895579E7FAAEB42214F2049E1D404CB181F632D96182A1

                                                                                                              Non-executed Functions

                                                                                                              Function 06B07688 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                              • API String ID: 0-2222239885
                                                                                                              • Opcode ID: df4551c09d80ead96d8d6bb7de2e3967797fd4d84c6cd1632b508ad4b5fbb121
                                                                                                              • Instruction ID: 0a8ee6d17407a5dc4ca85867f2f83658df328e89bf8365600a01095f0fd7f58a
                                                                                                              • Opcode Fuzzy Hash: df4551c09d80ead96d8d6bb7de2e3967797fd4d84c6cd1632b508ad4b5fbb121
                                                                                                              • Instruction Fuzzy Hash: B9121D70E002198FDB68DF65D954A6DBBB6FF88304F2085A9D409AB394DF31ED85CB81
                                                                                                              Function 06B0A920 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                              • API String ID: 0-3823777903
                                                                                                              • Opcode ID: 70e2232bd590862ecf9bc0759724bf46d0a53070de761882a160b0c82e5cb221
                                                                                                              • Instruction ID: b8e67a46256e3c554912ff4b4709f8349e5be1cfaab3a824bf3769224df5f057
                                                                                                              • Opcode Fuzzy Hash: 70e2232bd590862ecf9bc0759724bf46d0a53070de761882a160b0c82e5cb221
                                                                                                              • Instruction Fuzzy Hash: 62917F70E00309DFEB68DF65D954B6E7FB2EF44304F208969E4029B2D6DB759845CB90
                                                                                                              Function 06B07088 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                              • API String ID: 0-390881366
                                                                                                              • Opcode ID: 31b89238b76d5b7e57efae0334c50096c0d6416f0238ee91c96fb4c555fccd6e
                                                                                                              • Instruction ID: 2fd0311123911904bd572bb9362a9bd553b330cb87a2117c3047d62a476ec43a
                                                                                                              • Opcode Fuzzy Hash: 31b89238b76d5b7e57efae0334c50096c0d6416f0238ee91c96fb4c555fccd6e
                                                                                                              • Instruction Fuzzy Hash: 98F13070E00209CFDB59EB65D554A6EBBB6FF88304F148568D4069B3A9DF71EC86CB80
                                                                                                              Function 06B083C0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $^q$$^q$$^q$$^q
                                                                                                              • API String ID: 0-2125118731
                                                                                                              • Opcode ID: f4d5b6ba451a59f170047392b24e517dbcde0da0a5a0675ac79da432e1595fdc
                                                                                                              • Instruction ID: fb5a23b33cdb1767824db38e6ec7e374078f2c519b5917251042434ed3180aab
                                                                                                              • Opcode Fuzzy Hash: f4d5b6ba451a59f170047392b24e517dbcde0da0a5a0675ac79da432e1595fdc
                                                                                                              • Instruction Fuzzy Hash: 53B16D70F10209CFEB58DB69D58066EBBB6FF88304F248569D4069B399DB71DD82CB80
                                                                                                              Function 06B087D8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: LR^q$LR^q$$^q$$^q
                                                                                                              • API String ID: 0-2454687669
                                                                                                              • Opcode ID: cab47c5e1dd5a872c5b7791e505d0625ed7b9b20ddf7867f0e95e1f27af03377
                                                                                                              • Instruction ID: a8655f1f3135632510ebb21ad1a08f5d8be8160dc8e3f7d13304d42ba416b0ec
                                                                                                              • Opcode Fuzzy Hash: cab47c5e1dd5a872c5b7791e505d0625ed7b9b20ddf7867f0e95e1f27af03377
                                                                                                              • Instruction Fuzzy Hash: F5519270B102058FEB58EB29D540A6ABFE5FB84304F1496A8E4069B3A9DB31ED45CB51
                                                                                                              Function 06B0ACA8 Relevance: 5.2, Strings: 4, Instructions: 162COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.2980990767.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_6b00000_eWJxJJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $^q$$^q$$^q$$^q
                                                                                                              • API String ID: 0-2125118731
                                                                                                              • Opcode ID: db003ea589656c8e748ead363f0337b366f460bfb85ab47b0efd4edfd381297b
                                                                                                              • Instruction ID: ec2a77cb0ae257315ce6bf43a27b9aa3e4a38c57bea40278d80980676acbc3af
                                                                                                              • Opcode Fuzzy Hash: db003ea589656c8e748ead363f0337b366f460bfb85ab47b0efd4edfd381297b
                                                                                                              • Instruction Fuzzy Hash: 4D518570E103059FEF65EB64D9806ADBFB6FB48204F205A69D806DB395DB31DC42CB51