Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Mt6QkZnVbc.exe

Overview

General Information

Sample name:Mt6QkZnVbc.exe
renamed because original name is a hash value
Original sample name:49267a1e4c9cbb955209690e1d82d1d1.exe
Analysis ID:1427111
MD5:49267a1e4c9cbb955209690e1d82d1d1
SHA1:47fb7d48398a2049f84c4a68c96ea5ac27513cbe
SHA256:1fbcb895a6e34fb2a307c0c9896b7922ea723e5eea183fa319c0142c5a761fdf
Tags:DCRatexe
Infos:

Detection

DCRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected DCRat
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Disable UAC(promptonsecuredesktop)
Disables UAC (registry)
Drops PE files with benign system names
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Mt6QkZnVbc.exe (PID: 7288 cmdline: "C:\Users\user\Desktop\Mt6QkZnVbc.exe" MD5: 49267A1E4C9CBB955209690E1D82D1D1)
    • schtasks.exe (PID: 7720 cmdline: schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\services.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7744 cmdline: schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\services.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7760 cmdline: schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\services.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7784 cmdline: schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjnB" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\windows mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7800 cmdline: schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjn" /sc ONLOGON /tr "'C:\Program Files (x86)\windows mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7820 cmdline: schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjnB" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\windows mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7836 cmdline: schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\dwm.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7852 cmdline: schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\dwm.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7880 cmdline: schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\dwm.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7904 cmdline: schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjnB" /sc MINUTE /mo 10 /tr "'C:\Windows\SKB\LanguageModels\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7932 cmdline: schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjn" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7952 cmdline: schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjnB" /sc MINUTE /mo 6 /tr "'C:\Windows\SKB\LanguageModels\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7996 cmdline: schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjnB" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 8016 cmdline: schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjn" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 8068 cmdline: schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjnB" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 8096 cmdline: schtasks.exe /create /tn "UserOOBEBrokerU" /sc MINUTE /mo 12 /tr "'C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 8116 cmdline: schtasks.exe /create /tn "UserOOBEBroker" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 8156 cmdline: schtasks.exe /create /tn "UserOOBEBrokerU" /sc MINUTE /mo 14 /tr "'C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 1432 cmdline: schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjnB" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 5460 cmdline: schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjn" /sc ONLOGON /tr "'C:\Program Files (x86)\google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 2852 cmdline: schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjnB" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 4944 cmdline: schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Recovery\sihost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 6976 cmdline: schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\sihost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7344 cmdline: schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Recovery\sihost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • UserOOBEBroker.exe (PID: 2504 cmdline: "C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe" MD5: 49267A1E4C9CBB955209690E1D82D1D1)
  • BxpXDwLzzgPDKkwHFtsUbGgAjn.exe (PID: 7896 cmdline: "C:\Program Files (x86)\windows mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe" MD5: 49267A1E4C9CBB955209690E1D82D1D1)
  • BxpXDwLzzgPDKkwHFtsUbGgAjn.exe (PID: 7920 cmdline: "C:\Program Files (x86)\windows mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe" MD5: 49267A1E4C9CBB955209690E1D82D1D1)
  • dwm.exe (PID: 7960 cmdline: C:\Recovery\dwm.exe MD5: 49267A1E4C9CBB955209690E1D82D1D1)
  • dwm.exe (PID: 7980 cmdline: C:\Recovery\dwm.exe MD5: 49267A1E4C9CBB955209690E1D82D1D1)
  • services.exe (PID: 8024 cmdline: C:\Recovery\services.exe MD5: 49267A1E4C9CBB955209690E1D82D1D1)
  • services.exe (PID: 8076 cmdline: C:\Recovery\services.exe MD5: 49267A1E4C9CBB955209690E1D82D1D1)
  • sihost.exe (PID: 7820 cmdline: C:\Recovery\sihost.exe MD5: 49267A1E4C9CBB955209690E1D82D1D1)
  • sihost.exe (PID: 7836 cmdline: C:\Recovery\sihost.exe MD5: 49267A1E4C9CBB955209690E1D82D1D1)
  • UserOOBEBroker.exe (PID: 7912 cmdline: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe MD5: 49267A1E4C9CBB955209690E1D82D1D1)
  • UserOOBEBroker.exe (PID: 7952 cmdline: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe MD5: 49267A1E4C9CBB955209690E1D82D1D1)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"SCRT": "{\"b\":\"-\",\"B\":\"^\",\"1\":\",\",\"a\":\"@\",\"I\":\" \",\"2\":\";\",\"T\":\"&\",\"L\":\"<\",\"z\":\"~\",\"j\":\"%\",\"M\":\"$\",\"w\":\"!\",\"S\":\"`\",\"y\":\"_\",\"F\":\"|\",\"k\":\"(\",\"J\":\"#\",\"u\":\")\",\"W\":\"*\",\"n\":\".\",\"O\":\">\"}", "PCRT": "{\"U\":\"(\",\"J\":\"&\",\"M\":\"#\",\"N\":\"!\",\"G\":\",\",\"C\":\"~\",\"Y\":\";\",\"H\":\"-\",\"R\":\".\",\"D\":\" \",\"B\":\"%\",\"p\":\"<\",\"W\":\"$\",\"h\":\")\",\"I\":\"|\",\"F\":\"^\",\"5\":\"_\",\"Q\":\"*\",\"Z\":\">\",\"n\":\"`\",\"e\":\"@\"}", "TAG": "", "MUTEX": "DCR_MUTEX-ePGv71Xi6eHATgLCXbMW", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 1, "AUR": 1, "AURD": "{C:}/Program Files/WinRAR", "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false, "H1": "http://a0941979.xsph.ru/@zd3bk5Wa3RHb1FmZlR0X", "H2": "http://a0941979.xsph.ru/@zd3bk5Wa3RHb1FmZlR0X", "T": "0"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Mt6QkZnVbc.exeJoeSecurity_DCRat_1Yara detected DCRatJoe Security
    Mt6QkZnVbc.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      Mt6QkZnVbc.exeMALWARE_Win_DCRatDCRat payloadditekSHen
      • 0x126e8e:$x2: DCRat-Log#
      • 0x40a32:$x3: DCRat.Code
      • 0x40256:$v1: Plugin couldn't process this action!
      • 0x402a0:$v2: Unknown command!
      • 0x126eec:$v4: Saving log...
      • 0x126f08:$v5: ~Work.log
      • 0x12633b:$v8: %SystemDrive% - Slow
      • 0x126365:$v9: %UsersFolder% - Fast
      • 0x12638f:$v10: %AppData% - Very Fast

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Windows\SKB\LanguageModels\RCX6E93.tmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
        C:\Windows\SKB\LanguageModels\RCX6E93.tmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Windows\SKB\LanguageModels\RCX6E93.tmpMALWARE_Win_DCRatDCRat payloadditekSHen
          • 0x126e8e:$x2: DCRat-Log#
          • 0x40a32:$x3: DCRat.Code
          • 0x40256:$v1: Plugin couldn't process this action!
          • 0x402a0:$v2: Unknown command!
          • 0x126eec:$v4: Saving log...
          • 0x126f08:$v5: ~Work.log
          • 0x12633b:$v8: %SystemDrive% - Slow
          • 0x126365:$v9: %UsersFolder% - Fast
          • 0x12638f:$v10: %AppData% - Very Fast
          C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeJoeSecurity_DCRat_1Yara detected DCRatJoe Security
            C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              Click to see the 46 entries

              Memory Dumps

              SourceRuleDescriptionAuthorStrings
              00000023.00000002.1868252045.000000000235C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                00000025.00000002.1874198881.0000000003081000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                  00000013.00000002.1864451936.00000000029EC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                    00000023.00000002.1868252045.0000000002321000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                      0000000F.00000002.1865431873.0000000002511000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                        Click to see the 26 entries

                        Unpacked PEs

                        SourceRuleDescriptionAuthorStrings
                        0.0.Mt6QkZnVbc.exe.ec0000.0.unpackJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                          0.0.Mt6QkZnVbc.exe.ec0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                            0.0.Mt6QkZnVbc.exe.ec0000.0.unpackMALWARE_Win_DCRatDCRat payloadditekSHen
                            • 0x126e8e:$x2: DCRat-Log#
                            • 0x40a32:$x3: DCRat.Code
                            • 0x40256:$v1: Plugin couldn't process this action!
                            • 0x402a0:$v2: Unknown command!
                            • 0x126eec:$v4: Saving log...
                            • 0x126f08:$v5: ~Work.log
                            • 0x12633b:$v8: %SystemDrive% - Slow
                            • 0x126365:$v9: %UsersFolder% - Fast
                            • 0x12638f:$v10: %AppData% - Very Fast

                            Sigma Signatures

                            System Summary

                            barindex
                            Sigma detected: Files With System Process Name In Unsuspected Locations
                            Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\Mt6QkZnVbc.exe, ProcessId: 7288, TargetFilename: C:\Recovery\services.exe
                            Sigma detected: System File Execution Location Anomaly
                            Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Recovery\dwm.exe, CommandLine: C:\Recovery\dwm.exe, CommandLine|base64offset|contains: , Image: C:\Recovery\dwm.exe, NewProcessName: C:\Recovery\dwm.exe, OriginalFileName: C:\Recovery\dwm.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Recovery\dwm.exe, ProcessId: 7960, ProcessName: dwm.exe
                            Sigma detected: Windows Processes Suspicious Parent Directory
                            Source: Process startedAuthor: vburov: Data: Command: C:\Recovery\services.exe, CommandLine: C:\Recovery\services.exe, CommandLine|base64offset|contains: , Image: C:\Recovery\services.exe, NewProcessName: C:\Recovery\services.exe, OriginalFileName: C:\Recovery\services.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Recovery\services.exe, ProcessId: 8024, ProcessName: services.exe

                            Snort Signatures

                            No Snort rule has matched

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus / Scanner detection for submitted sample
                            Source: Mt6QkZnVbc.exeAvira: detected
                            Antivirus detection for dropped file
                            Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeAvira: detection malicious, Label: HEUR/AGEN.1310064
                            Source: C:\Recovery\dwm.exeAvira: detection malicious, Label: HEUR/AGEN.1310064
                            Source: C:\Recovery\RCX67AA.tmpAvira: detection malicious, Label: HEUR/AGEN.1310064
                            Source: C:\Windows\SKB\LanguageModels\RCX6E93.tmpAvira: detection malicious, Label: HEUR/AGEN.1310064
                            Source: C:\Program Files\Windows Portable Devices\RCX7115.tmpAvira: detection malicious, Label: HEUR/AGEN.1310064
                            Source: C:\Program Files (x86)\Google\RCX75E9.tmpAvira: detection malicious, Label: HEUR/AGEN.1310064
                            Source: C:\Recovery\RCX786B.tmpAvira: detection malicious, Label: HEUR/AGEN.1310064
                            Source: C:\Users\user\Desktop\RCX6567.tmpAvira: detection malicious, Label: HEUR/AGEN.1310064
                            Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeAvira: detection malicious, Label: HEUR/AGEN.1310064
                            Source: C:\Recovery\RCX6C11.tmpAvira: detection malicious, Label: HEUR/AGEN.1310064
                            Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeAvira: detection malicious, Label: HEUR/AGEN.1310064
                            Source: C:\Recovery\services.exeAvira: detection malicious, Label: HEUR/AGEN.1310064
                            Source: C:\Recovery\sihost.exeAvira: detection malicious, Label: HEUR/AGEN.1310064
                            Source: C:\Program Files (x86)\Windows Mail\RCX69BF.tmpAvira: detection malicious, Label: HEUR/AGEN.1310064
                            Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeAvira: detection malicious, Label: HEUR/AGEN.1310064
                            Found malware configuration
                            Source: 0.0.Mt6QkZnVbc.exe.ec0000.0.unpackMalware Configuration Extractor: DCRat {"SCRT": "{\"b\":\"-\",\"B\":\"^\",\"1\":\",\",\"a\":\"@\",\"I\":\" \",\"2\":\";\",\"T\":\"&\",\"L\":\"<\",\"z\":\"~\",\"j\":\"%\",\"M\":\"$\",\"w\":\"!\",\"S\":\"`\",\"y\":\"_\",\"F\":\"|\",\"k\":\"(\",\"J\":\"#\",\"u\":\")\",\"W\":\"*\",\"n\":\".\",\"O\":\">\"}", "PCRT": "{\"U\":\"(\",\"J\":\"&\",\"M\":\"#\",\"N\":\"!\",\"G\":\",\",\"C\":\"~\",\"Y\":\";\",\"H\":\"-\",\"R\":\".\",\"D\":\" \",\"B\":\"%\",\"p\":\"<\",\"W\":\"$\",\"h\":\")\",\"I\":\"|\",\"F\":\"^\",\"5\":\"_\",\"Q\":\"*\",\"Z\":\">\",\"n\":\"`\",\"e\":\"@\"}", "TAG": "", "MUTEX": "DCR_MUTEX-ePGv71Xi6eHATgLCXbMW", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 1, "AUR": 1, "AURD": "{C:}/Program Files/WinRAR", "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false, "H1": "http://a0941979.xsph.ru/@zd3bk5Wa3RHb1FmZlR0X", "H2": "http://a0941979.xsph.ru/@zd3bk5Wa3RHb1FmZlR0X", "T": "0"}
                            Multi AV Scanner detection for dropped file
                            Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeReversingLabs: Detection: 81%
                            Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeVirustotal: Detection: 81%Perma Link
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeReversingLabs: Detection: 81%
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeVirustotal: Detection: 81%Perma Link
                            Source: C:\Program Files\Windows Portable Devices\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeReversingLabs: Detection: 81%
                            Source: C:\Program Files\Windows Portable Devices\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeVirustotal: Detection: 81%Perma Link
                            Source: C:\Recovery\dwm.exeReversingLabs: Detection: 81%
                            Source: C:\Recovery\dwm.exeVirustotal: Detection: 81%Perma Link
                            Source: C:\Recovery\services.exeReversingLabs: Detection: 81%
                            Source: C:\Recovery\services.exeVirustotal: Detection: 81%Perma Link
                            Source: C:\Recovery\sihost.exeReversingLabs: Detection: 81%
                            Source: C:\Recovery\sihost.exeVirustotal: Detection: 81%Perma Link
                            Source: C:\Windows\SKB\LanguageModels\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeReversingLabs: Detection: 81%
                            Source: C:\Windows\SKB\LanguageModels\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeVirustotal: Detection: 81%Perma Link
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeReversingLabs: Detection: 81%
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeVirustotal: Detection: 81%Perma Link
                            Multi AV Scanner detection for submitted file
                            Source: Mt6QkZnVbc.exeReversingLabs: Detection: 81%
                            Source: Mt6QkZnVbc.exeVirustotal: Detection: 81%Perma Link
                            Machine Learning detection for dropped file
                            Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeJoe Sandbox ML: detected
                            Source: C:\Recovery\dwm.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeJoe Sandbox ML: detected
                            Source: C:\Recovery\services.exeJoe Sandbox ML: detected
                            Source: C:\Recovery\sihost.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeJoe Sandbox ML: detected
                            Machine Learning detection for sample
                            Source: Mt6QkZnVbc.exeJoe Sandbox ML: detected
                            Source: Mt6QkZnVbc.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeDirectory created: C:\Program Files\Windows Portable Devices\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeDirectory created: C:\Program Files\Windows Portable Devices\5d095569012eb4Jump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeDirectory created: C:\Program Files\Windows Portable Devices\RCX7115.tmpJump to behavior
                            Source: Mt6QkZnVbc.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile opened: C:\Users\userJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile opened: C:\Users\user\AppDataJump to behavior

                            Networking

                            barindex
                            C2 URLs / IPs found in malware configuration
                            Source: Malware configuration extractorURLs: http://a0941979.xsph.ru/@zd3bk5Wa3RHb1FmZlR0X
                            Yara detected Generic Downloader
                            Source: Yara matchFile source: Mt6QkZnVbc.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.Mt6QkZnVbc.exe.ec0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: C:\Windows\SKB\LanguageModels\RCX6E93.tmp, type: DROPPED
                            Source: Yara matchFile source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Windows\ServiceProfiles\LocalService\Desktop\RCX73C5.tmp, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Recovery\RCX786B.tmp, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files (x86)\Windows Mail\RCX69BF.tmp, type: DROPPED
                            Source: Yara matchFile source: C:\Recovery\RCX67AA.tmp, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files (x86)\Google\RCX75E9.tmp, type: DROPPED
                            Source: Yara matchFile source: C:\Recovery\sihost.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files\Windows Portable Devices\RCX7115.tmp, type: DROPPED
                            Source: Yara matchFile source: C:\Recovery\dwm.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Recovery\RCX6C11.tmp, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\Desktop\RCX6567.tmp, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Recovery\services.exe, type: DROPPED
                            Source: Mt6QkZnVbc.exe, 00000000.00000002.1814092338.00000000032D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                            Source: Mt6QkZnVbc.exe, 00000000.00000002.1832340256.000000001C316000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3kta
                            Source: Mt6QkZnVbc.exe, 00000000.00000002.1832340256.000000001C316000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmogram

                            System Summary

                            barindex
                            Malicious sample detected (through community Yara rule)
                            Source: Mt6QkZnVbc.exe, type: SAMPLEMatched rule: DCRat payload Author: ditekSHen
                            Source: 0.0.Mt6QkZnVbc.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: DCRat payload Author: ditekSHen
                            Source: C:\Windows\SKB\LanguageModels\RCX6E93.tmp, type: DROPPEDMatched rule: DCRat payload Author: ditekSHen
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe, type: DROPPEDMatched rule: DCRat payload Author: ditekSHen
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\RCX73C5.tmp, type: DROPPEDMatched rule: DCRat payload Author: ditekSHen
                            Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPEDMatched rule: DCRat payload Author: ditekSHen
                            Source: C:\Recovery\RCX786B.tmp, type: DROPPEDMatched rule: DCRat payload Author: ditekSHen
                            Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPEDMatched rule: DCRat payload Author: ditekSHen
                            Source: C:\Program Files (x86)\Windows Mail\RCX69BF.tmp, type: DROPPEDMatched rule: DCRat payload Author: ditekSHen
                            Source: C:\Recovery\RCX67AA.tmp, type: DROPPEDMatched rule: DCRat payload Author: ditekSHen
                            Source: C:\Program Files (x86)\Google\RCX75E9.tmp, type: DROPPEDMatched rule: DCRat payload Author: ditekSHen
                            Source: C:\Recovery\sihost.exe, type: DROPPEDMatched rule: DCRat payload Author: ditekSHen
                            Source: C:\Program Files\Windows Portable Devices\RCX7115.tmp, type: DROPPEDMatched rule: DCRat payload Author: ditekSHen
                            Source: C:\Recovery\dwm.exe, type: DROPPEDMatched rule: DCRat payload Author: ditekSHen
                            Source: C:\Recovery\RCX6C11.tmp, type: DROPPEDMatched rule: DCRat payload Author: ditekSHen
                            Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPEDMatched rule: DCRat payload Author: ditekSHen
                            Source: C:\Users\user\Desktop\RCX6567.tmp, type: DROPPEDMatched rule: DCRat payload Author: ditekSHen
                            Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPEDMatched rule: DCRat payload Author: ditekSHen
                            Source: C:\Recovery\services.exe, type: DROPPEDMatched rule: DCRat payload Author: ditekSHen
                            .NET source code contains very large strings
                            Source: Mt6QkZnVbc.exe, Ba5.csLong String: Length: 469152
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile created: C:\Windows\SKB\LanguageModels\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile created: C:\Windows\SKB\LanguageModels\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe\:Zone.Identifier:$DATAJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile created: C:\Windows\SKB\LanguageModels\5d095569012eb4Jump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile created: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile created: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe\:Zone.Identifier:$DATAJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile created: C:\Windows\ServiceProfiles\LocalService\Desktop\7ccfebd9e92364Jump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile created: C:\Windows\SKB\LanguageModels\RCX6E93.tmpJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile created: C:\Windows\ServiceProfiles\LocalService\Desktop\RCX73C5.tmpJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile deleted: C:\Windows\ServiceProfiles\LocalService\Desktop\RCX73C5.tmpJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeCode function: 0_2_00007FFD9B8790B40_2_00007FFD9B8790B4
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeCode function: 0_2_00007FFD9B88309D0_2_00007FFD9B88309D
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeCode function: 0_2_00007FFD9B870F800_2_00007FFD9B870F80
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeCode function: 13_2_00007FFD9B8B0F8813_2_00007FFD9B8B0F88
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeCode function: 15_2_00007FFD9B8A514115_2_00007FFD9B8A5141
                            Source: C:\Recovery\dwm.exeCode function: 18_2_00007FFD9B890F8818_2_00007FFD9B890F88
                            Source: C:\Recovery\dwm.exeCode function: 19_2_00007FFD9B8A0F8819_2_00007FFD9B8A0F88
                            Source: C:\Recovery\services.exeCode function: 22_2_00007FFD9B8A514122_2_00007FFD9B8A5141
                            Source: C:\Recovery\services.exeCode function: 24_2_00007FFD9B87514124_2_00007FFD9B875141
                            Source: C:\Recovery\sihost.exeCode function: 35_2_00007FFD9B89514135_2_00007FFD9B895141
                            Source: C:\Recovery\sihost.exeCode function: 36_2_00007FFD9B8B514136_2_00007FFD9B8B5141
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeCode function: 37_2_00007FFD9B8A514137_2_00007FFD9B8A5141
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeCode function: 38_2_00007FFD9B89514138_2_00007FFD9B895141
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeCode function: 39_2_00007FFD9B8A514139_2_00007FFD9B8A5141
                            Source: Mt6QkZnVbc.exe, 00000000.00000002.1834404756.000000001C5F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilename4 vs Mt6QkZnVbc.exe
                            Source: Mt6QkZnVbc.exe, 00000000.00000002.1833776233.000000001C5E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRegEditorPlugin.dclib4 vs Mt6QkZnVbc.exe
                            Source: Mt6QkZnVbc.exe, 00000000.00000002.1831177564.000000001BBE0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilename( vs Mt6QkZnVbc.exe
                            Source: Mt6QkZnVbc.exe, 00000000.00000002.1821121468.0000000013454000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename$ vs Mt6QkZnVbc.exe
                            Source: Mt6QkZnVbc.exe, 00000000.00000002.1835516693.000000001C610000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameUSBSpread.dll4 vs Mt6QkZnVbc.exe
                            Source: Mt6QkZnVbc.exe, 00000000.00000002.1840828053.000000001C7CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekOqIuwMEeO9OzX.exe@ vs Mt6QkZnVbc.exe
                            Source: Mt6QkZnVbc.exe, 00000000.00000002.1814092338.0000000003B79000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs Mt6QkZnVbc.exe
                            Source: Mt6QkZnVbc.exe, 00000000.00000002.1814092338.0000000003B79000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLpfieQBsDPgEKgg.exeD vs Mt6QkZnVbc.exe
                            Source: Mt6QkZnVbc.exe, 00000000.00000002.1814092338.0000000003B79000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs Mt6QkZnVbc.exe
                            Source: Mt6QkZnVbc.exe, 00000000.00000002.1814092338.0000000003950000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs Mt6QkZnVbc.exe
                            Source: Mt6QkZnVbc.exe, 00000000.00000002.1814092338.0000000003950000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameniVD4fdxO48.exe vs Mt6QkZnVbc.exe
                            Source: Mt6QkZnVbc.exe, 00000000.00000002.1814092338.0000000003950000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs Mt6QkZnVbc.exe
                            Source: Mt6QkZnVbc.exe, 00000000.00000002.1814092338.0000000003950000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameniVD4fdxO48.exeD vs Mt6QkZnVbc.exe
                            Source: Mt6QkZnVbc.exe, 00000000.00000002.1834833653.000000001C600000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilename( vs Mt6QkZnVbc.exe
                            Source: Mt6QkZnVbc.exe, 00000000.00000002.1838999865.000000001C640000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilename( vs Mt6QkZnVbc.exe
                            Source: Mt6QkZnVbc.exe, 00000000.00000002.1833595298.000000001C3D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilename4 vs Mt6QkZnVbc.exe
                            Source: Mt6QkZnVbc.exe, 00000000.00000002.1832904401.000000001C390000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilename( vs Mt6QkZnVbc.exe
                            Source: Mt6QkZnVbc.exe, 00000000.00000002.1854263821.000000001C8C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameojIckCGKeaTDDtL0f@ vs Mt6QkZnVbc.exe
                            Source: Mt6QkZnVbc.exe, 00000000.00000000.1690631223.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamekOqIuwMEeO9OzX.exe@ vs Mt6QkZnVbc.exe
                            Source: Mt6QkZnVbc.exe, 00000000.00000002.1831005329.000000001BBA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilename$ vs Mt6QkZnVbc.exe
                            Source: Mt6QkZnVbc.exe, 00000000.00000002.1832340256.000000001C2F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFileNamew vs Mt6QkZnVbc.exe
                            Source: Mt6QkZnVbc.exe, 00000000.00000002.1836549677.000000001C620000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameUserPingCounter.dclib4 vs Mt6QkZnVbc.exe
                            Source: Mt6QkZnVbc.exe, 00000000.00000002.1831099502.000000001BBC0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameBSoDProtection.dclib4 vs Mt6QkZnVbc.exe
                            Source: Mt6QkZnVbc.exe, 00000000.00000002.1832955052.000000001C3A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMiscInfoGrabber.dclib4 vs Mt6QkZnVbc.exe
                            Source: Mt6QkZnVbc.exe, 00000000.00000002.1814092338.0000000003A67000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs Mt6QkZnVbc.exe
                            Source: Mt6QkZnVbc.exe, 00000000.00000002.1833548960.000000001C3C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamePerformanceCounter.dclib4 vs Mt6QkZnVbc.exe
                            Source: Mt6QkZnVbc.exe, 00000000.00000002.1831274570.000000001BC10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDisableUAC.dclib4 vs Mt6QkZnVbc.exe
                            Source: Mt6QkZnVbc.exe, 00000000.00000002.1833461058.000000001C3B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameOBSGrabber.dclib4 vs Mt6QkZnVbc.exe
                            Source: Mt6QkZnVbc.exe, 00000000.00000002.1814092338.00000000034F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs Mt6QkZnVbc.exe
                            Source: Mt6QkZnVbc.exe, 00000000.00000002.1838896721.000000001C630000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameVPNGrabber.dclib4 vs Mt6QkZnVbc.exe
                            Source: Mt6QkZnVbc.exe, 00000000.00000002.1831129714.000000001BBD0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameBuildInstallationTweaksPlugin.dll\ vs Mt6QkZnVbc.exe
                            Source: Mt6QkZnVbc.exe, 00000000.00000002.1831243375.000000001BC00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCrashLogger.dclib4 vs Mt6QkZnVbc.exe
                            Source: Mt6QkZnVbc.exeBinary or memory string: OriginalFilenamekOqIuwMEeO9OzX.exe@ vs Mt6QkZnVbc.exe
                            Source: Mt6QkZnVbc.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                            Source: Mt6QkZnVbc.exe, type: SAMPLEMatched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
                            Source: 0.0.Mt6QkZnVbc.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
                            Source: C:\Windows\SKB\LanguageModels\RCX6E93.tmp, type: DROPPEDMatched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe, type: DROPPEDMatched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\RCX73C5.tmp, type: DROPPEDMatched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
                            Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPEDMatched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
                            Source: C:\Recovery\RCX786B.tmp, type: DROPPEDMatched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
                            Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPEDMatched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
                            Source: C:\Program Files (x86)\Windows Mail\RCX69BF.tmp, type: DROPPEDMatched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
                            Source: C:\Recovery\RCX67AA.tmp, type: DROPPEDMatched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
                            Source: C:\Program Files (x86)\Google\RCX75E9.tmp, type: DROPPEDMatched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
                            Source: C:\Recovery\sihost.exe, type: DROPPEDMatched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
                            Source: C:\Program Files\Windows Portable Devices\RCX7115.tmp, type: DROPPEDMatched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
                            Source: C:\Recovery\dwm.exe, type: DROPPEDMatched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
                            Source: C:\Recovery\RCX6C11.tmp, type: DROPPEDMatched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
                            Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPEDMatched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
                            Source: C:\Users\user\Desktop\RCX6567.tmp, type: DROPPEDMatched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
                            Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPEDMatched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
                            Source: C:\Recovery\services.exe, type: DROPPEDMatched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
                            Source: Mt6QkZnVbc.exe, Q69.csCryptographic APIs: 'TransformBlock'
                            Source: Mt6QkZnVbc.exe, Q69.csCryptographic APIs: 'TransformFinalBlock'
                            Source: Mt6QkZnVbc.exe, Q69.csCryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
                            Source: Mt6QkZnVbc.exe, 277.csBase64 encoded string: 'H4sIAAAAAAAEAFXSXZOaMBQG4B/UG7OduutlQYFkBUogR+AO8YNg1O3gqvTXNywvM+0FQ545LycnGRb0UnfeuZxzVzrCXZso2DblOdZvM/WfQ0r0Q/OFcPNZlBe+k66PStdG+tt7Oat724dI8/qj5XXj7xonqFqRFya68Pp24XPeSz8ae2pOSfpjU+WLvjbPTWV7bRvxvbyLQN1nl3j5lXdlSsOeaTjnWpF34t2qtXOwxLU9+mvLVURZZtfsa82UzZZ/npvibGcIxEr+60h6Mhz2rinTDUvCnU9Oo8qXk7951u0ucKi8HUkqouwgWLISOtbwcG5t9wi8FU138NM+dsbc2Hdn30f4E/7GR1fwb1jCB+QZH72HfdTfYAF/4PsrfILzKQ8/YAO703zwCv6EU/gGc/gVLqfzYJ4l3KEewA0cwy0cwWf4Hb7CZP063HVi1NIxvOPpQT/ML/vE+sHs3Xtru16PNlv4HXUaTTDtRjOOfDram/IVfEBdIp/j+z3qBfIK/dGPob8nkMd8BBv0N1P/qR/O403nQd7D/CxGPkQe+9E0fwIXMO6DkDeY3ySYZ7ovm2f74d9V9p/ORL//C61hzBDwAwAA', 'H4sIAAAAAAAEAA3OUQtDQBwA8K/y153LFroyajkiFk+KotkDV2dz9yCakgf57NvvE/yCoPyoWAcPkkZpCtpOr9elsbJDbwGZWA5N8UU+Npa83GpbXMZMnNJmriDhXpJQe/hsm1NBqzxSsw79aMAKyVWDw4rMqdoh47wg7bM5I1WkL6+jzEQ2mztH3FweOgbB1EixvPfMi/OByul/4RhQ//4B4kpVrJwAAAA='
                            Source: Mt6QkZnVbc.exe, kJk.csBase64 encoded string: 'ICBfX18gICAgICAgICAgIF8gICAgICBfX18gICAgICAgICAgICAgXyAgICAgICAgXyAgIF9fXyAgICBfIF9fX19fIA0KIHwgICBcIF9fIF8gXyBffCB8X18gIC8gX198XyBfIF8gIF8gX198IHxfIF9fIF98IHwgfCBfIFwgIC9fXF8gICBffA0KIHwgfCkgLyBfYCB8ICdffCAvIC8gfCAoX198ICdffCB8fCAoXy08ICBfLyBfYCB8IHwgfCAgIC8gLyBfIFx8IHwgIA0KIHxfX18vXF9fLF98X3wgfF9cX1wgIFxfX198X3wgIFxfLCAvX18vXF9fXF9fLF98X3wgfF98X1wvXy8gXF9cX3wgIA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHxfXy8gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA=='
                            Source: Mt6QkZnVbc.exe, Ba5.csBase64 encoded string: 'H4sIAAAAAAAEAOy9W4vjuhYu+lcifEE2jvAlNDPEW6Qf/FSBFNiIPCl2ImgqlimqKl1JhZDfvseQ5FTVXL0We++5OedwWA+hOyVbl3H5xkVDyv9I2+s8beigD3XJRX0Sool4L2Ld1OWcdiTS/svZ3/XngR61Xvpbv75o2vm62ouMLhIu6ban3aP2m9/hoN5UxV+42D2Jzfqj1/sHclhcrtLvxHS50brb7vtFqTZdqGT3SuTynQux/XnoQt7UW+Kr7V4sTrNUdGJDPq5DdyONf3pOY0/7fkKyOilzUcsJzC/fvejKy/ba/83p7nAemgXzu0L79SbKuyYqdr4Q69OzX+d9Sjs23U3/fXvcl9AeDss1rlc3u4Nq68mZdpyndMX7bhMKjwaiey/9+oe8CK6n/OPqL29R779FBXuKBnrxfPWW+XXxs+3CchP/0GIZZn5TqESsw4bSLO2eS9+/eEPXsSam834ZlkPzElaCl5vmY1Z1ayX8c6WXa110NKPdA6ma7fOf6J2sj6WA8YZFfh68g27FkSVAv97PkB46V6VO6Tkd6I8t3REuvBfdk1DD89tURLplmzLbr7N/y8/6yhIvgf7fwox1wbQ76nQP74sw2AgiB+YHsCydN6Wu6j44sE2Y7GpyWWSzfheqyf5FUyJV1hxD7RG1aTY6M+s/lql4LAdRbXuPlUAfKRmRDdts0y6B9Z/6vltHSfdDyyXPfP+tpEsdPq2fqsP1LdXXQNL4v5//fv77+X/+Ixmtzf8z/J6q2/8H5vTfz38//3/5MJnuv35P9zTOQ0ojSelVVt1N9osgq+pAtDHTIg4jGovQPEtBH7v7u7yN21KY9x/g/Q50dSqr/U0NNAB7HURD3HJxH6f+Og92Yfg+k35MoP+teZ/6iUx5IAUPVMECPcQs9GOhaPwjTNVBUiZlHwfKh0/xbU0ZtD/B3KayX95UvghExgKlYRzoH94/X2ncyWo9lXQJeCICAe8R+By/0UbA/AFvhG/mdx7iAMZ/hfensP4nGB/ex/ZFQHIWBLB+4sczSuObmXeqJl/XGBzgXz8+wPunMOUHmN8V8Uy1QF/KAmLpi+1v0D+F/qEPeCetv64N158CfbisiATe3een4X2gP4tw/ZQ29/f7+u88/3f0wfcLN7/67++rTdxK6J/RuIDvBD4VzB/aGtcvMzSUKD8pB/oS6L++Se0b/iF9Qru+zMpXDfLl3dRG3N8//wdZJaO8fv17uvrP8t2bf1//+mhu+nL/e2zWh/SD+akp0K+B+cH6iYgJp3ED86uN/PXczE9rZt7d9nGR/es48IyhQaisfIfh9/H//DG8Veb/KH/hf1gHrl073QlRvv7fx43/fv7zhwEusTJdVXceTpdTiJ+E0v5WHzyIvzzEjzeIP9YYz4m+vlwTtl38sT96+F8f2+prtCH/2pYqAPI4CQ40iAC/Sc9Qp2OZqVuUcsCO+nSF7xngkobvYcVD1cYJrGWiaVOE9vlrBu8GghUhte9reJ4D5pE+nu038VULuiBCsKhnp6uOe+ULqSl8T3cPgAHxMVc3Jr03Ualq7rMJge8csADm8xDB+4Cj1zBdFDJt0sq8j+P7MH6d7hN2wPlxKlYqp+KY8gbWkwFO1mwTr0KxD449PeP3COfTxlewQV/aBT5/Me0VO73B+yKrWyIJk5/vX0NdA0bQAtZfaor0alrWx7IE7BA6nswrrxY5fd367PE47KQ41M+MElgfb0ihbuWnrQOdBRv4yQf57XsfH+SX72pav8ffn7/Y51lBcm+b5ov3UO6eOOYXcuWHjZ8usu6Jb2AFCcTvB7GBd32D332cXu+85/i9Rcw5gl0Xhl/An6oOgYch8NADenJ4ZqV8GuBHAD3Abks17SaAO5Ow8ibAr6nMeEV88SoAw8AuFyTdSUXBIGcU5U+qAugJdilMG5QP/CA/nkFekH/AyzjklK7ceI+ssePNfTsefL8xH2xazwqgdwPYN8pjESVg91OQhyx+FyljUjdg6+JQUPrg+jvA/01/R9dfcKGS+DWsnUN7Z9dPRWnsfh+Hbv6BGCgHOwd465vvxH6fLeB5RukCxiMw9hTfE6l6c++LsuoQlxvQDw6yKso+npjvKTv9GuIK/uaTjNvxU5gr0B50AsaphZT1DWxKGFn9wc+DzngA+lCj/SA6PpRm/PhoxxeNzlQgNNCzAv2T9RT0EeiF+gbyM8QTIegV348yinb6wcpRM9qYibSyyYyM2L/dgNbYX1ql8H/4G+gzyjvKTIjzAZrA/Be4vkeVc/Cl6pqn7CBBP3E+QWPeF2fQB4H8BaxRGW2lFg2uT7v+YH1ctRRtGtCLIh6APaMwJmMGNze2v8g3/UmcX4ayi35H2kgpRSM0NWsh9++gj6AfQN93lbBH0Ncr4M8zQ/wQMcpLJYShl5G/YNJJLgBP0tjQH+VRIf0p6AK1eMclexfAny3iA8wP9KZl6QL7A0zvRnnE9yuUR6Q3fD+dAM/we0ibm6yEhL7AL6QBw3VWIsTvIJszmbI6QLyB8WVKJ6Ty1iC/EujXi2onYT0M/JRTlXmAR+jnCqZ7q1/BoQG88m5GnrQXKMC7CvDM+BRZnDCQ36AA/ag40K9+AAy7hmAXgMfYf4ryHqKfXe1Qn2/4vG0HHQHaQ3/In23Yx5UW7Ib8VJQRwFHUr8yD96WR7xj7q0uLl8/AXwHjEXbhN0IZ4skJ8KcFe3BCvBUZNXiL8nWkbNSfHvUtymG+KG+gH8GhBl8R9D9lLcgDrNPKpDbyvjPzU77Pzj744oDn2E+E+gz4DOMnrEF6gU+G9N+wG/KL2PfBjzV+LfytAf2iE1ifj/hRVqRlhl5xgnhepnY+QLtHWE81Rz83NfLzaPCrMvaVSA32wOCNaKUdXwqJ9DT4hfLi5g/yDTJj9B/0E+wpxkXvdi7x7WjnB/aONkZ/KHsV1j48IpaBjoD8NSg/4K/jfFB3mbGPwuqrwfNfCatMXNPUN6PjVX0zeFV5DeC1oY8
                            Source: classification engineClassification label: mal100.troj.evad.winEXE@37/43@0/0
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile created: C:\Program Files (x86)\windows mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile created: C:\Users\user\Desktop\RCX6567.tmpJump to behavior
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeMutant created: NULL
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeMutant created: \Sessions\1\BaseNamedObjects\Local\59a07570a8a8386aa1a299e6ab573f686e7e8154
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile created: C:\Users\user\AppData\Local\Temp\59a07570a8a8386aa1a299e6ab573f686e7e81544.5.321e942f7529053d3bf5a939edfacdca5e36682859Jump to behavior
                            Source: Mt6QkZnVbc.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: Mt6QkZnVbc.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: Mt6QkZnVbc.exeReversingLabs: Detection: 81%
                            Source: Mt6QkZnVbc.exeVirustotal: Detection: 81%
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile read: C:\Users\user\Desktop\Mt6QkZnVbc.exeJump to behavior
                            Source: unknownProcess created: C:\Users\user\Desktop\Mt6QkZnVbc.exe "C:\Users\user\Desktop\Mt6QkZnVbc.exe"
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\services.exe'" /f
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\services.exe'" /rl HIGHEST /f
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\services.exe'" /rl HIGHEST /f
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjnB" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\windows mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /f
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjn" /sc ONLOGON /tr "'C:\Program Files (x86)\windows mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /rl HIGHEST /f
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjnB" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\windows mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /rl HIGHEST /f
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\dwm.exe'" /f
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\dwm.exe'" /rl HIGHEST /f
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\dwm.exe'" /rl HIGHEST /f
                            Source: unknownProcess created: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe "C:\Program Files (x86)\windows mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe"
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjnB" /sc MINUTE /mo 10 /tr "'C:\Windows\SKB\LanguageModels\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /f
                            Source: unknownProcess created: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe "C:\Program Files (x86)\windows mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe"
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjn" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /rl HIGHEST /f
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjnB" /sc MINUTE /mo 6 /tr "'C:\Windows\SKB\LanguageModels\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /rl HIGHEST /f
                            Source: unknownProcess created: C:\Recovery\dwm.exe C:\Recovery\dwm.exe
                            Source: unknownProcess created: C:\Recovery\dwm.exe C:\Recovery\dwm.exe
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjnB" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /f
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjn" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /rl HIGHEST /f
                            Source: unknownProcess created: C:\Recovery\services.exe C:\Recovery\services.exe
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjnB" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /rl HIGHEST /f
                            Source: unknownProcess created: C:\Recovery\services.exe C:\Recovery\services.exe
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UserOOBEBrokerU" /sc MINUTE /mo 12 /tr "'C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe'" /f
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UserOOBEBroker" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe'" /rl HIGHEST /f
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UserOOBEBrokerU" /sc MINUTE /mo 14 /tr "'C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe'" /rl HIGHEST /f
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjnB" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /f
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjn" /sc ONLOGON /tr "'C:\Program Files (x86)\google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /rl HIGHEST /f
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjnB" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /rl HIGHEST /f
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Recovery\sihost.exe'" /f
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\sihost.exe'" /rl HIGHEST /f
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Recovery\sihost.exe'" /rl HIGHEST /f
                            Source: unknownProcess created: C:\Recovery\sihost.exe C:\Recovery\sihost.exe
                            Source: unknownProcess created: C:\Recovery\sihost.exe C:\Recovery\sihost.exe
                            Source: unknownProcess created: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe
                            Source: unknownProcess created: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess created: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe "C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe"
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess created: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe "C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: twext.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: cscui.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: policymanager.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: msvcp110_win.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: workfoldersshell.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: ntshrui.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: cscapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: twinapi.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: textshaping.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: wtsapi32.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: starttiledata.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: coremessaging.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: usermgrcli.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: usermgrproxy.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: acppage.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: sfc.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: msi.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: aepic.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: sfc_os.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeSection loaded: version.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeSection loaded: version.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                            Source: C:\Recovery\dwm.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Recovery\dwm.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Recovery\dwm.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Recovery\dwm.exeSection loaded: version.dllJump to behavior
                            Source: C:\Recovery\dwm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Recovery\dwm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Recovery\dwm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Recovery\dwm.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Recovery\dwm.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Recovery\dwm.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Recovery\dwm.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Recovery\dwm.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Recovery\dwm.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Recovery\dwm.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Recovery\dwm.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Recovery\dwm.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Recovery\dwm.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Recovery\dwm.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Recovery\dwm.exeSection loaded: version.dllJump to behavior
                            Source: C:\Recovery\dwm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Recovery\dwm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Recovery\dwm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Recovery\dwm.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Recovery\dwm.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Recovery\dwm.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Recovery\dwm.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Recovery\dwm.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Recovery\dwm.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Recovery\dwm.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Recovery\dwm.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                            Source: C:\Recovery\services.exeSection loaded: mscoree.dll
                            Source: C:\Recovery\services.exeSection loaded: apphelp.dll
                            Source: C:\Recovery\services.exeSection loaded: kernel.appcore.dll
                            Source: C:\Recovery\services.exeSection loaded: version.dll
                            Source: C:\Recovery\services.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Recovery\services.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Recovery\services.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Recovery\services.exeSection loaded: uxtheme.dll
                            Source: C:\Recovery\services.exeSection loaded: windows.storage.dll
                            Source: C:\Recovery\services.exeSection loaded: wldp.dll
                            Source: C:\Recovery\services.exeSection loaded: profapi.dll
                            Source: C:\Recovery\services.exeSection loaded: cryptsp.dll
                            Source: C:\Recovery\services.exeSection loaded: rsaenh.dll
                            Source: C:\Recovery\services.exeSection loaded: cryptbase.dll
                            Source: C:\Recovery\services.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                            Source: C:\Recovery\services.exeSection loaded: mscoree.dll
                            Source: C:\Recovery\services.exeSection loaded: kernel.appcore.dll
                            Source: C:\Recovery\services.exeSection loaded: version.dll
                            Source: C:\Recovery\services.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Recovery\services.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Recovery\services.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Recovery\services.exeSection loaded: uxtheme.dll
                            Source: C:\Recovery\services.exeSection loaded: windows.storage.dll
                            Source: C:\Recovery\services.exeSection loaded: wldp.dll
                            Source: C:\Recovery\services.exeSection loaded: profapi.dll
                            Source: C:\Recovery\services.exeSection loaded: cryptsp.dll
                            Source: C:\Recovery\services.exeSection loaded: rsaenh.dll
                            Source: C:\Recovery\services.exeSection loaded: cryptbase.dll
                            Source: C:\Recovery\services.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                            Source: C:\Recovery\sihost.exeSection loaded: mscoree.dll
                            Source: C:\Recovery\sihost.exeSection loaded: apphelp.dll
                            Source: C:\Recovery\sihost.exeSection loaded: kernel.appcore.dll
                            Source: C:\Recovery\sihost.exeSection loaded: version.dll
                            Source: C:\Recovery\sihost.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Recovery\sihost.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Recovery\sihost.exeSection loaded: uxtheme.dll
                            Source: C:\Recovery\sihost.exeSection loaded: windows.storage.dll
                            Source: C:\Recovery\sihost.exeSection loaded: wldp.dll
                            Source: C:\Recovery\sihost.exeSection loaded: profapi.dll
                            Source: C:\Recovery\sihost.exeSection loaded: cryptsp.dll
                            Source: C:\Recovery\sihost.exeSection loaded: rsaenh.dll
                            Source: C:\Recovery\sihost.exeSection loaded: cryptbase.dll
                            Source: C:\Recovery\sihost.exeSection loaded: sspicli.dll
                            Source: C:\Recovery\sihost.exeSection loaded: mscoree.dll
                            Source: C:\Recovery\sihost.exeSection loaded: kernel.appcore.dll
                            Source: C:\Recovery\sihost.exeSection loaded: version.dll
                            Source: C:\Recovery\sihost.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Recovery\sihost.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Recovery\sihost.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Recovery\sihost.exeSection loaded: uxtheme.dll
                            Source: C:\Recovery\sihost.exeSection loaded: windows.storage.dll
                            Source: C:\Recovery\sihost.exeSection loaded: wldp.dll
                            Source: C:\Recovery\sihost.exeSection loaded: profapi.dll
                            Source: C:\Recovery\sihost.exeSection loaded: cryptsp.dll
                            Source: C:\Recovery\sihost.exeSection loaded: rsaenh.dll
                            Source: C:\Recovery\sihost.exeSection loaded: cryptbase.dll
                            Source: C:\Recovery\sihost.exeSection loaded: sspicli.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: mscoree.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: apphelp.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: version.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: wldp.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: profapi.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: sspicli.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: mscoree.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: version.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: wldp.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: profapi.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: sspicli.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: mscoree.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: version.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: wldp.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: profapi.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeDirectory created: C:\Program Files\Windows Portable Devices\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeDirectory created: C:\Program Files\Windows Portable Devices\5d095569012eb4Jump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeDirectory created: C:\Program Files\Windows Portable Devices\RCX7115.tmpJump to behavior
                            Source: Mt6QkZnVbc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                            Source: Mt6QkZnVbc.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                            Source: Mt6QkZnVbc.exeStatic file information: File size 1261056 > 1048576
                            Source: Mt6QkZnVbc.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x133600
                            Source: Mt6QkZnVbc.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                            Data Obfuscation

                            barindex
                            .NET source code contains potential unpacker
                            Source: Mt6QkZnVbc.exe, 78v.cs.Net Code: _9jF
                            Source: Mt6QkZnVbc.exe, Ba5.cs.Net Code: _1G1 System.AppDomain.Load(byte[])
                            Source: Mt6QkZnVbc.exe, Ba5.cs.Net Code: _1G1 System.Reflection.Assembly.Load(byte[])
                            Source: Mt6QkZnVbc.exe, Ba5.cs.Net Code: _1G1
                            Source: dwm.exe.0.drStatic PE information: real checksum: 0x13d0fa should be: 0x142058
                            Source: services.exe.0.drStatic PE information: real checksum: 0x13d0fa should be: 0x142058
                            Source: BxpXDwLzzgPDKkwHFtsUbGgAjn.exe.0.drStatic PE information: real checksum: 0x13d0fa should be: 0x142058
                            Source: UserOOBEBroker.exe.0.drStatic PE information: real checksum: 0x13d0fa should be: 0x142058
                            Source: Mt6QkZnVbc.exeStatic PE information: real checksum: 0x13d0fa should be: 0x142058
                            Source: BxpXDwLzzgPDKkwHFtsUbGgAjn.exe0.0.drStatic PE information: real checksum: 0x13d0fa should be: 0x142058
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeCode function: 0_2_00007FFD9B87EAC8 pushad ; iretd 0_2_00007FFD9B87EAC9

                            Persistence and Installation Behavior

                            barindex
                            Creates processes via WMI
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Drops PE files with benign system names
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile created: C:\Recovery\dwm.exeJump to dropped file
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile created: C:\Recovery\services.exeJump to dropped file
                            Drops executables to the windows directory (C:\Windows) and starts them
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeExecutable created and started: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile created: C:\Recovery\RCX6C11.tmpJump to dropped file
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile created: C:\Recovery\dwm.exeJump to dropped file
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile created: C:\Recovery\RCX786B.tmpJump to dropped file
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile created: C:\Program Files (x86)\Windows Mail\RCX69BF.tmpJump to dropped file
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile created: C:\Program Files\Windows Portable Devices\RCX7115.tmpJump to dropped file
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile created: C:\Recovery\RCX67AA.tmpJump to dropped file
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile created: C:\Windows\SKB\LanguageModels\RCX6E93.tmpJump to dropped file
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile created: C:\Program Files (x86)\Google\RCX75E9.tmpJump to dropped file
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile created: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeJump to dropped file
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile created: C:\Program Files (x86)\google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe (copy)Jump to dropped file
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile created: C:\Program Files\Windows Portable Devices\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeJump to dropped file
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile created: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeJump to dropped file
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile created: C:\Program Files (x86)\windows mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe (copy)Jump to dropped file
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile created: C:\Users\user\Desktop\RCX6567.tmpJump to dropped file
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile created: C:\Users\user\Desktop\Mt6QkZnVbc.exe (copy)Jump to dropped file
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile created: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeJump to dropped file
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile created: C:\Windows\SKB\LanguageModels\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeJump to dropped file
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile created: C:\Recovery\sihost.exeJump to dropped file
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile created: C:\Windows\ServiceProfiles\LocalService\Desktop\RCX73C5.tmpJump to dropped file
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile created: C:\Recovery\services.exeJump to dropped file
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile created: C:\Windows\SKB\LanguageModels\RCX6E93.tmpJump to dropped file
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile created: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeJump to dropped file
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile created: C:\Windows\SKB\LanguageModels\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeJump to dropped file
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile created: C:\Windows\ServiceProfiles\LocalService\Desktop\RCX73C5.tmpJump to dropped file

                            Boot Survival

                            barindex
                            Uses schtasks.exe or at.exe to add and modify task schedules
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\services.exe'" /f
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\services.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Recovery\sihost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeMemory allocated: 1820000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeMemory allocated: 1B2D0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeMemory allocated: 17A0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeMemory allocated: 1B400000 memory reserve | memory write watchJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeMemory allocated: A20000 memory reserve | memory write watchJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeMemory allocated: 1A510000 memory reserve | memory write watchJump to behavior
                            Source: C:\Recovery\dwm.exeMemory allocated: 1520000 memory reserve | memory write watchJump to behavior
                            Source: C:\Recovery\dwm.exeMemory allocated: 1B330000 memory reserve | memory write watchJump to behavior
                            Source: C:\Recovery\dwm.exeMemory allocated: E00000 memory reserve | memory write watchJump to behavior
                            Source: C:\Recovery\dwm.exeMemory allocated: 1A9B0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Recovery\services.exeMemory allocated: BB0000 memory reserve | memory write watch
                            Source: C:\Recovery\services.exeMemory allocated: 1AAA0000 memory reserve | memory write watch
                            Source: C:\Recovery\services.exeMemory allocated: 29B0000 memory reserve | memory write watch
                            Source: C:\Recovery\services.exeMemory allocated: 1A9B0000 memory reserve | memory write watch
                            Source: C:\Recovery\sihost.exeMemory allocated: 770000 memory reserve | memory write watch
                            Source: C:\Recovery\sihost.exeMemory allocated: 1A320000 memory reserve | memory write watch
                            Source: C:\Recovery\sihost.exeMemory allocated: 2420000 memory reserve | memory write watch
                            Source: C:\Recovery\sihost.exeMemory allocated: 1A5A0000 memory reserve | memory write watch
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeMemory allocated: 1600000 memory reserve | memory write watch
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeMemory allocated: 1B080000 memory reserve | memory write watch
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeMemory allocated: EC0000 memory reserve | memory write watch
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeMemory allocated: 1ABD0000 memory reserve | memory write watch
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeMemory allocated: 2380000 memory reserve | memory write watch
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeMemory allocated: 1A500000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Recovery\dwm.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Recovery\dwm.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Recovery\services.exeThread delayed: delay time: 922337203685477
                            Source: C:\Recovery\services.exeThread delayed: delay time: 922337203685477
                            Source: C:\Recovery\sihost.exeThread delayed: delay time: 922337203685477
                            Source: C:\Recovery\sihost.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWindow / User API: threadDelayed 1505Jump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeWindow / User API: threadDelayed 689Jump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeWindow / User API: threadDelayed 368Jump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeWindow / User API: threadDelayed 485Jump to behavior
                            Source: C:\Recovery\dwm.exeWindow / User API: threadDelayed 369Jump to behavior
                            Source: C:\Recovery\dwm.exeWindow / User API: threadDelayed 367Jump to behavior
                            Source: C:\Recovery\services.exeWindow / User API: threadDelayed 374
                            Source: C:\Recovery\services.exeWindow / User API: threadDelayed 365
                            Source: C:\Recovery\sihost.exeWindow / User API: threadDelayed 462
                            Source: C:\Recovery\sihost.exeWindow / User API: threadDelayed 365
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeWindow / User API: threadDelayed 367
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeWindow / User API: threadDelayed 464
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeWindow / User API: threadDelayed 476
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeDropped PE file which has not been started: C:\Recovery\RCX6C11.tmpJump to dropped file
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeDropped PE file which has not been started: C:\Recovery\RCX786B.tmpJump to dropped file
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows Mail\RCX69BF.tmpJump to dropped file
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeDropped PE file which has not been started: C:\Program Files\Windows Portable Devices\RCX7115.tmpJump to dropped file
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeDropped PE file which has not been started: C:\Recovery\RCX67AA.tmpJump to dropped file
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeDropped PE file which has not been started: C:\Windows\SKB\LanguageModels\RCX6E93.tmpJump to dropped file
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\RCX75E9.tmpJump to dropped file
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeDropped PE file which has not been started: C:\Program Files (x86)\google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe (copy)Jump to dropped file
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeDropped PE file which has not been started: C:\Program Files (x86)\windows mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe (copy)Jump to dropped file
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeDropped PE file which has not been started: C:\Users\user\Desktop\RCX6567.tmpJump to dropped file
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeDropped PE file which has not been started: C:\Users\user\Desktop\Mt6QkZnVbc.exe (copy)Jump to dropped file
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeDropped PE file which has not been started: C:\Windows\ServiceProfiles\LocalService\Desktop\RCX73C5.tmpJump to dropped file
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe TID: 7368Thread sleep count: 1505 > 30Jump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe TID: 7368Thread sleep count: 689 > 30Jump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe TID: 7324Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe TID: 5228Thread sleep count: 368 > 30Jump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe TID: 8048Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe TID: 6908Thread sleep count: 485 > 30Jump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe TID: 8032Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Recovery\dwm.exe TID: 7788Thread sleep count: 369 > 30Jump to behavior
                            Source: C:\Recovery\dwm.exe TID: 5824Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Recovery\dwm.exe TID: 6940Thread sleep count: 367 > 30Jump to behavior
                            Source: C:\Recovery\dwm.exe TID: 8152Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Recovery\services.exe TID: 6164Thread sleep count: 374 > 30
                            Source: C:\Recovery\services.exe TID: 7244Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Recovery\services.exe TID: 7720Thread sleep count: 365 > 30
                            Source: C:\Recovery\services.exe TID: 7136Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Recovery\sihost.exe TID: 7936Thread sleep count: 462 > 30
                            Source: C:\Recovery\sihost.exe TID: 7916Thread sleep count: 199 > 30
                            Source: C:\Recovery\sihost.exe TID: 7860Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Recovery\sihost.exe TID: 8004Thread sleep count: 365 > 30
                            Source: C:\Recovery\sihost.exe TID: 7972Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe TID: 8120Thread sleep count: 367 > 30
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe TID: 8084Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe TID: 6912Thread sleep count: 231 > 30
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe TID: 916Thread sleep count: 206 > 30
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe TID: 8096Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe TID: 6424Thread sleep count: 464 > 30
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe TID: 7908Thread sleep count: 476 > 30
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe TID: 5436Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Recovery\dwm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Recovery\dwm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Recovery\services.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Recovery\services.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Recovery\sihost.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Recovery\sihost.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Recovery\dwm.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Recovery\dwm.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Recovery\services.exeThread delayed: delay time: 922337203685477
                            Source: C:\Recovery\services.exeThread delayed: delay time: 922337203685477
                            Source: C:\Recovery\sihost.exeThread delayed: delay time: 922337203685477
                            Source: C:\Recovery\sihost.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile opened: C:\Users\userJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeFile opened: C:\Users\user\AppDataJump to behavior
                            Source: Mt6QkZnVbc.exe, 00000000.00000002.1854120920.000000001C89D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess information queried: ProcessInformationJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Recovery\dwm.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Recovery\dwm.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Recovery\services.exeProcess token adjusted: Debug
                            Source: C:\Recovery\services.exeProcess token adjusted: Debug
                            Source: C:\Recovery\sihost.exeProcess token adjusted: Debug
                            Source: C:\Recovery\sihost.exeProcess token adjusted: Debug
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess token adjusted: Debug
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess token adjusted: Debug
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeMemory allocated: page read and write | page guardJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeProcess created: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe "C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeQueries volume information: C:\Users\user\Desktop\Mt6QkZnVbc.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeQueries volume information: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe VolumeInformationJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exeQueries volume information: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe VolumeInformationJump to behavior
                            Source: C:\Recovery\dwm.exeQueries volume information: C:\Recovery\dwm.exe VolumeInformationJump to behavior
                            Source: C:\Recovery\dwm.exeQueries volume information: C:\Recovery\dwm.exe VolumeInformationJump to behavior
                            Source: C:\Recovery\services.exeQueries volume information: C:\Recovery\services.exe VolumeInformation
                            Source: C:\Recovery\services.exeQueries volume information: C:\Recovery\services.exe VolumeInformation
                            Source: C:\Recovery\sihost.exeQueries volume information: C:\Recovery\sihost.exe VolumeInformation
                            Source: C:\Recovery\sihost.exeQueries volume information: C:\Recovery\sihost.exe VolumeInformation
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeQueries volume information: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe VolumeInformation
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeQueries volume information: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe VolumeInformation
                            Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exeQueries volume information: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe VolumeInformation
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                            Lowering of HIPS / PFW / Operating System Security Settings

                            barindex
                            Disable UAC(promptonsecuredesktop)
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeRegistry value created: PromptOnSecureDesktop 0Jump to behavior
                            Disables UAC (registry)
                            Source: C:\Users\user\Desktop\Mt6QkZnVbc.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior

                            Stealing of Sensitive Information

                            barindex
                            Yara detected DCRat
                            Source: Yara matchFile source: Mt6QkZnVbc.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.Mt6QkZnVbc.exe.ec0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000023.00000002.1868252045.000000000235C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000025.00000002.1874198881.0000000003081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000013.00000002.1864451936.00000000029EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000023.00000002.1868252045.0000000002321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.1865431873.0000000002511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000013.00000002.1864451936.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000002.1864857934.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000027.00000002.1901322545.0000000002501000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.1865431873.000000000254C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000012.00000002.1864892550.000000000336C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000026.00000002.1872612661.0000000002C0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000026.00000002.1872612661.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000012.00000002.1864892550.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000024.00000002.1875796279.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.1866202094.000000000343F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.1866202094.0000000003401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.1814092338.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.1690631223.0000000000EC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000016.00000002.1865521844.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: Mt6QkZnVbc.exe PID: 7288, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: BxpXDwLzzgPDKkwHFtsUbGgAjn.exe PID: 7896, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: BxpXDwLzzgPDKkwHFtsUbGgAjn.exe PID: 7920, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: dwm.exe PID: 7960, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: dwm.exe PID: 7980, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: services.exe PID: 8024, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: services.exe PID: 8076, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: sihost.exe PID: 7820, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: sihost.exe PID: 7836, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: UserOOBEBroker.exe PID: 7912, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: UserOOBEBroker.exe PID: 7952, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: UserOOBEBroker.exe PID: 2504, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Windows\SKB\LanguageModels\RCX6E93.tmp, type: DROPPED
                            Source: Yara matchFile source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Windows\ServiceProfiles\LocalService\Desktop\RCX73C5.tmp, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Recovery\RCX786B.tmp, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files (x86)\Windows Mail\RCX69BF.tmp, type: DROPPED
                            Source: Yara matchFile source: C:\Recovery\RCX67AA.tmp, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files (x86)\Google\RCX75E9.tmp, type: DROPPED
                            Source: Yara matchFile source: C:\Recovery\sihost.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files\Windows Portable Devices\RCX7115.tmp, type: DROPPED
                            Source: Yara matchFile source: C:\Recovery\dwm.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Recovery\RCX6C11.tmp, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\Desktop\RCX6567.tmp, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Recovery\services.exe, type: DROPPED

                            Remote Access Functionality

                            barindex
                            Yara detected DCRat
                            Source: Yara matchFile source: Mt6QkZnVbc.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.Mt6QkZnVbc.exe.ec0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000023.00000002.1868252045.000000000235C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000025.00000002.1874198881.0000000003081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000013.00000002.1864451936.00000000029EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000023.00000002.1868252045.0000000002321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.1865431873.0000000002511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000013.00000002.1864451936.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000002.1864857934.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000027.00000002.1901322545.0000000002501000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.1865431873.000000000254C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000012.00000002.1864892550.000000000336C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000026.00000002.1872612661.0000000002C0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000026.00000002.1872612661.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000012.00000002.1864892550.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000024.00000002.1875796279.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.1866202094.000000000343F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.1866202094.0000000003401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.1814092338.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.1690631223.0000000000EC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000016.00000002.1865521844.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: Mt6QkZnVbc.exe PID: 7288, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: BxpXDwLzzgPDKkwHFtsUbGgAjn.exe PID: 7896, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: BxpXDwLzzgPDKkwHFtsUbGgAjn.exe PID: 7920, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: dwm.exe PID: 7960, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: dwm.exe PID: 7980, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: services.exe PID: 8024, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: services.exe PID: 8076, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: sihost.exe PID: 7820, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: sihost.exe PID: 7836, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: UserOOBEBroker.exe PID: 7912, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: UserOOBEBroker.exe PID: 7952, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: UserOOBEBroker.exe PID: 2504, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Windows\SKB\LanguageModels\RCX6E93.tmp, type: DROPPED
                            Source: Yara matchFile source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Windows\ServiceProfiles\LocalService\Desktop\RCX73C5.tmp, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Recovery\RCX786B.tmp, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files (x86)\Windows Mail\RCX69BF.tmp, type: DROPPED
                            Source: Yara matchFile source: C:\Recovery\RCX67AA.tmp, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files (x86)\Google\RCX75E9.tmp, type: DROPPED
                            Source: Yara matchFile source: C:\Recovery\sihost.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files\Windows Portable Devices\RCX7115.tmp, type: DROPPED
                            Source: Yara matchFile source: C:\Recovery\dwm.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Recovery\RCX6C11.tmp, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\Desktop\RCX6567.tmp, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Recovery\services.exe, type: DROPPED

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                            Windows Management Instrumentation                            		1
                            Scheduled Task/Job                            		11
                            Process Injection                            		223
                            Masquerading                            		OS Credential Dumping11
                            Security Software Discovery                            		Remote Services11
                            Archive Collected Data                            		1
                            Encrypted Channel                            		Exfiltration Over Other Network MediumAbuse Accessibility Features
                            CredentialsDomainsDefault Accounts1
                            Scheduled Task/Job                            		1
                            DLL Side-Loading                            		1
                            Scheduled Task/Job                            		11
                            Disable or Modify Tools                            		LSASS Memory1
                            Process Discovery                            		Remote Desktop ProtocolData from Removable Media1
                            Application Layer Protocol                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                            DLL Side-Loading                            		31
                            Virtualization/Sandbox Evasion                            		Security Account Manager31
                            Virtualization/Sandbox Evasion                            		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                            Bypass User Account Control                            		11
                            Process Injection                            		NTDS1
                            Application Window Discovery                            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                            Deobfuscate/Decode Files or Information                            		LSA Secrets2
                            File and Directory Discovery                            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                            Obfuscated Files or Information                            		Cached Domain Credentials14
                            System Information Discovery                            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                            Software Packing                            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                            DLL Side-Loading                            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                            Bypass User Account Control                            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                            File Deletion                            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            Mt6QkZnVbc.exe82%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                            Mt6QkZnVbc.exe81%VirustotalBrowse
                            Mt6QkZnVbc.exe100%AviraHEUR/AGEN.1310064
                            Mt6QkZnVbc.exe100%Joe Sandbox ML

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe100%AviraHEUR/AGEN.1310064
                            C:\Recovery\dwm.exe100%AviraHEUR/AGEN.1310064
                            C:\Recovery\RCX67AA.tmp100%AviraHEUR/AGEN.1310064
                            C:\Windows\SKB\LanguageModels\RCX6E93.tmp100%AviraHEUR/AGEN.1310064
                            C:\Program Files\Windows Portable Devices\RCX7115.tmp100%AviraHEUR/AGEN.1310064
                            C:\Program Files (x86)\Google\RCX75E9.tmp100%AviraHEUR/AGEN.1310064
                            C:\Recovery\RCX786B.tmp100%AviraHEUR/AGEN.1310064
                            C:\Users\user\Desktop\RCX6567.tmp100%AviraHEUR/AGEN.1310064
                            C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe100%AviraHEUR/AGEN.1310064
                            C:\Recovery\RCX6C11.tmp100%AviraHEUR/AGEN.1310064
                            C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe100%AviraHEUR/AGEN.1310064
                            C:\Recovery\services.exe100%AviraHEUR/AGEN.1310064
                            C:\Recovery\sihost.exe100%AviraHEUR/AGEN.1310064
                            C:\Program Files (x86)\Windows Mail\RCX69BF.tmp100%AviraHEUR/AGEN.1310064
                            C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe100%AviraHEUR/AGEN.1310064
                            C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe100%Joe Sandbox ML
                            C:\Recovery\dwm.exe100%Joe Sandbox ML
                            C:\Recovery\RCX67AA.tmp100%Joe Sandbox ML
                            C:\Windows\SKB\LanguageModels\RCX6E93.tmp100%Joe Sandbox ML
                            C:\Program Files\Windows Portable Devices\RCX7115.tmp100%Joe Sandbox ML
                            C:\Program Files (x86)\Google\RCX75E9.tmp100%Joe Sandbox ML
                            C:\Recovery\RCX786B.tmp100%Joe Sandbox ML
                            C:\Users\user\Desktop\RCX6567.tmp100%Joe Sandbox ML
                            C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe100%Joe Sandbox ML
                            C:\Recovery\RCX6C11.tmp100%Joe Sandbox ML
                            C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe100%Joe Sandbox ML
                            C:\Recovery\services.exe100%Joe Sandbox ML
                            C:\Recovery\sihost.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\Windows Mail\RCX69BF.tmp100%Joe Sandbox ML
                            C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe82%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                            C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe81%VirustotalBrowse
                            C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe82%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                            C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe81%VirustotalBrowse
                            C:\Program Files\Windows Portable Devices\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe82%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                            C:\Program Files\Windows Portable Devices\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe81%VirustotalBrowse
                            C:\Recovery\dwm.exe82%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                            C:\Recovery\dwm.exe81%VirustotalBrowse
                            C:\Recovery\services.exe82%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                            C:\Recovery\services.exe81%VirustotalBrowse
                            C:\Recovery\sihost.exe82%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                            C:\Recovery\sihost.exe81%VirustotalBrowse
                            C:\Windows\SKB\LanguageModels\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe82%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                            C:\Windows\SKB\LanguageModels\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe81%VirustotalBrowse
                            C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe82%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                            C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe81%VirustotalBrowse

                            Unpacked PE Files

                            No Antivirus matches

                            Domains

                            No Antivirus matches

                            URLs

                            No Antivirus matches

                            Domains and IPs

                            Contacted Domains

                            No contacted domains info

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://a0941979.xsph.ru/@zd3bk5Wa3RHb1FmZlR0Xfalse
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://aka.ms/Vh5j3ktaMt6QkZnVbc.exe, 00000000.00000002.1832340256.000000001C316000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://aka.ms/odirmogramMt6QkZnVbc.exe, 00000000.00000002.1832340256.000000001C316000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMt6QkZnVbc.exe, 00000000.00000002.1814092338.00000000032D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high

                                    World Map of Contacted IPs

                                    No contacted IP infos

                                    General Information

                                    Joe Sandbox version:40.0.0 Tourmaline
                                    Analysis ID:1427111
                                    Start date and time:2024-04-17 02:01:04 +02:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 8m 19s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:40
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:Mt6QkZnVbc.exe
                                    renamed because original name is a hash value
                                    Original Sample Name:49267a1e4c9cbb955209690e1d82d1d1.exe
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winEXE@37/43@0/0
                                    EGA Information:
                                    • Successful, ratio: 8.3%
                                    HCA Information:
                                    • Successful, ratio: 72%
                                    • Number of executed functions: 358
                                    • Number of non-executed functions: 20
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe

                                    Warnings

                                    • Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, ShellExperienceHost.exe, svchost.exe
                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                    • Execution Graph export aborted for target BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, PID 7896 because it is empty
                                    • Execution Graph export aborted for target BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, PID 7920 because it is empty
                                    • Execution Graph export aborted for target UserOOBEBroker.exe, PID 2504 because it is empty
                                    • Execution Graph export aborted for target UserOOBEBroker.exe, PID 7912 because it is empty
                                    • Execution Graph export aborted for target UserOOBEBroker.exe, PID 7952 because it is empty
                                    • Execution Graph export aborted for target dwm.exe, PID 7960 because it is empty
                                    • Execution Graph export aborted for target dwm.exe, PID 7980 because it is empty
                                    • Execution Graph export aborted for target services.exe, PID 8024 because it is empty
                                    • Execution Graph export aborted for target services.exe, PID 8076 because it is empty
                                    • Execution Graph export aborted for target sihost.exe, PID 7820 because it is empty
                                    • Execution Graph export aborted for target sihost.exe, PID 7836 because it is empty
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    01:02:02Task SchedulerRun new task: BxpXDwLzzgPDKkwHFtsUbGgAjn path: "C:\Program Files (x86)\windows mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe"
                                    01:02:02Task SchedulerRun new task: BxpXDwLzzgPDKkwHFtsUbGgAjnB path: "C:\Program Files (x86)\windows mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe"
                                    01:02:02Task SchedulerRun new task: dwm path: "C:\Recovery\dwm.exe"
                                    01:02:02Task SchedulerRun new task: dwmd path: "C:\Recovery\dwm.exe"
                                    01:02:02Task SchedulerRun new task: services path: "C:\Recovery\services.exe"
                                    01:02:02Task SchedulerRun new task: servicess path: "C:\Recovery\services.exe"
                                    01:02:04Task SchedulerRun new task: sihost path: "C:\Recovery\sihost.exe"
                                    01:02:04Task SchedulerRun new task: sihosts path: "C:\Recovery\sihost.exe"
                                    01:02:04Task SchedulerRun new task: UserOOBEBroker path: "C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe"
                                    01:02:04Task SchedulerRun new task: UserOOBEBrokerU path: "C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe"

                                    Joe Sandbox View / Context

                                    IPs

                                    No context

                                    Domains

                                    No context

                                    ASNs

                                    No context

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Program Files (x86)\Google\5d095569012eb4

                                    Download File
                                    Process:C:\Users\user\Desktop\Mt6QkZnVbc.exe
                                    File Type:ASCII text, with very long lines (357), with no line terminators
                                    Category:dropped
                                    Size (bytes):357
                                    Entropy (8bit):5.847417145243534
                                    Encrypted:false
                                    SSDEEP:6:dDPnq1wytVZEHHRXefOGo2qYt9H62Sau+FtcK95Jiyg7+zQSiAGJfH32NYGsExub:dDCAnBh2nDAsuEhg7+zQSCHmlQNh
                                    MD5:56E419CBA08C4186EA2BED068FFD3C19
                                    SHA1:505EF64F79588716B3A7FCA13AA9F32E451F493A
                                    SHA-256:9A40FE29DEB1EBC3F1AA61C9930F286F81144167692E24BB3051ACB2F938D638
                                    SHA-512:6C6C9DD9FABA2E81CC7BE4874B6597401B6E63F3F35B4C27306C81C5B5CC036B40BF40795887239637B4C38E5F9FAE56CFBBA2287AF3E947BC8A02CE390082F3
                                    Malicious:false
                                    Preview:eYFqNkdwxvcZBrf1bxzxmUOcwHP7UJwg66VuFatQlPrgFe5CdNMaXWtKKn4GUfco96cFWuwADjLWnsWSLNeG6VIkMLkcgn5FwCgIB0qsbLXyKWhcQl4HBVrny22LJTdanGkkLORUhvov7UaznIM5sxDaU2UJ8fjIr7KEw6QBUjkQq6qdbChBHir0CJPS3IWCMgDAKWDq1KkIMxtYM1r57hBIPUBmr8ILNiEK3pSF90K67jnOZ1FCbaEof4v0Ua92CZ5otjfhil6HWELprxM02FuweZo83cvi0R4io8f0Wieze6RbtFIhNJ96oIKU4gnF0XQFJmBsSWdUl4RhHNPyTNVrR83gyL5z4Y9Gq

                                    C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\Mt6QkZnVbc.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1261056
                                    Entropy (8bit):4.761986175475392
                                    Encrypted:false
                                    SSDEEP:24576:1R28aergLxCcjZGKCKFuTBHNWdd2HAxWnUDTJ/yS3Rh:7JaDKf4p4UD1v
                                    MD5:49267A1E4C9CBB955209690E1D82D1D1
                                    SHA1:47FB7D48398A2049F84C4A68C96EA5AC27513CBE
                                    SHA-256:1FBCB895A6E34FB2A307C0C9896B7922EA723E5EEA183FA319C0142C5A761FDF
                                    SHA-512:26B679D6EF43B50C77D8190F3058F9732C2077B23934E44B76ED90FDAD2F0DF6A48B8FAF8F6C80E673F27167D004EC33D2E2F01F439EA4E88039BB1930A70C98
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, Author: Joe Security
                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, Author: Joe Security
                                    • Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, Author: ditekSHen
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, Author: Joe Security
                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, Author: Joe Security
                                    • Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, Author: ditekSHen
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, Author: Joe Security
                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, Author: Joe Security
                                    • Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, Author: ditekSHen
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, Author: Joe Security
                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, Author: Joe Security
                                    • Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, Author: ditekSHen
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 82%
                                    • Antivirus: Virustotal, Detection: 81%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.........."......6...........T... ...`....@.. ....................................@..................................T..K....`..L............................................................................ ............... ..H............text....4... ...6.................. ..`.rsrc...L....`.......8..............@..@.reloc...............<..............@..B.................T......H.......H...HO..........................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                    C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe:Zone.Identifier

                                    Download File
                                    Process:C:\Users\user\Desktop\Mt6QkZnVbc.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):26
                                    Entropy (8bit):3.95006375643621
                                    Encrypted:false
                                    SSDEEP:3:ggPYV:rPYV
                                    MD5:187F488E27DB4AF347237FE461A079AD
                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                    Malicious:false
                                    Preview:[ZoneTransfer]....ZoneId=0

                                    C:\Program Files (x86)\Google\RCX75E9.tmp

                                    Download File
                                    Process:C:\Users\user\Desktop\Mt6QkZnVbc.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1261056
                                    Entropy (8bit):4.762179782418735
                                    Encrypted:false
                                    SSDEEP:24576:FR28aergLxCcjZGKCKFuTBHNWdd2HAxWnUDTJ/yS3Rh:rJaDKf4p4UD1v
                                    MD5:A413419A271A45957F60706C5D2D58F4
                                    SHA1:94F94C3989D2E4C8BB4F3378E39886FD6C9A78AD
                                    SHA-256:77C2678F7E6868BA36DC19FFC6FC4928AB9BAB272F2B149CB244671919E4FDF8
                                    SHA-512:BB79BB1CE9DCB31232309A4BA5B09468D65A4A94DB78041216E94716FE69361B25DFA781E8DD83C2A704F0DD8F7B5FCBC01B0EF064349BF1324AB497A47A38D8
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Program Files (x86)\Google\RCX75E9.tmp, Author: Joe Security
                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\Google\RCX75E9.tmp, Author: Joe Security
                                    • Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Program Files (x86)\Google\RCX75E9.tmp, Author: ditekSHen
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.........."......6...........T... ...`....@.. ....................................@..................................T..K....`............................................................................... ............... ..H............text....4... ...6.................. ..`.rsrc........`.......8..............@..@.reloc...............<..............@..B.................T......H.......H...HO..........................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                    C:\Program Files (x86)\Windows Mail\5d095569012eb4

                                    Download File
                                    Process:C:\Users\user\Desktop\Mt6QkZnVbc.exe
                                    File Type:ASCII text, with very long lines (594), with no line terminators
                                    Category:dropped
                                    Size (bytes):594
                                    Entropy (8bit):5.870351474945938
                                    Encrypted:false
                                    SSDEEP:12:eAd/0SaOnVKxjxf4FXxj0qfDs46TFurmWSqKMm4WpYQRrBbCJYoZ5UxNn:e4/0SayK5ZkQaDs46TFHWSbIWF8d5UxN
                                    MD5:498973B5B3DB19262AE38E13D387E00E
                                    SHA1:E7CF773EC5EDEE078EDCA2D035B98535EB656DFE
                                    SHA-256:D9161565718DD56762174F5A42CF07B0E8D55E9AC62FE95BF1CB9701696A2430
                                    SHA-512:8B31F2A98227EC916273754C16582A06B2CD195B2B38C83B80697C6D8256C14D5536603DC518F5ABB7F00ABB27366765624E8F1564C18E2D541930BED857D36F
                                    Malicious:false
                                    Preview:UcyT6bkgKSPTvlLs5UrS7ryrt38FfQPvxU4TclWh4wYKUWIg09YdANnmoGkCdeB3Degaq2PU8KXKTnXWubOg2wujqSoWATDaufHz0r08tDe0zcTAtNRBPfAQt6tYN3TpG7axghgDlQwyR4tO8onxBBKPe0G37bu0uzu1CfeLrOa8sL9yMfZjQgnExLTqbmFJg6EcK2MdKbGwlLgS1RrcBKkOLpE0MxuEJRcwHgoUT6ZyZ0dlpAzJ5mHVW0QexVQWrBnUttLUmXIFvvyVMdLM8kJgJGaQQJg8qCHYNJ15zehidCjkC5RUJDXG2GKnT4Dd0KZsoaHDlQXdDlDHgzOV1LympAfH8Ol4bDrTn05mxOt3q4CRDDGdqslpWwDn4AFXocC93tep4linc55u7OD5HIOtcC70wSswJVON1DYTjajEJ7Na1Tpq7JPgOTg1wn3l3weGrr34zuWqjJjfzg9dmBz9Fs8iggg5h7KXcGtJZv0Mxj7FtBCQoZ826fA8sUXTNaJl8MCsxzD1LmLgv3zeeQQI8Sa7GuaFXh8WZVGh9TcyVHrUTdNzf2y7KAmpvElDZ8ennzGZwSfKxbx1lG

                                    C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\Mt6QkZnVbc.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1261056
                                    Entropy (8bit):4.761986175475392
                                    Encrypted:false
                                    SSDEEP:24576:1R28aergLxCcjZGKCKFuTBHNWdd2HAxWnUDTJ/yS3Rh:7JaDKf4p4UD1v
                                    MD5:49267A1E4C9CBB955209690E1D82D1D1
                                    SHA1:47FB7D48398A2049F84C4A68C96EA5AC27513CBE
                                    SHA-256:1FBCB895A6E34FB2A307C0C9896B7922EA723E5EEA183FA319C0142C5A761FDF
                                    SHA-512:26B679D6EF43B50C77D8190F3058F9732C2077B23934E44B76ED90FDAD2F0DF6A48B8FAF8F6C80E673F27167D004EC33D2E2F01F439EA4E88039BB1930A70C98
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 82%
                                    • Antivirus: Virustotal, Detection: 81%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.........."......6...........T... ...`....@.. ....................................@..................................T..K....`..L............................................................................ ............... ..H............text....4... ...6.................. ..`.rsrc...L....`.......8..............@..@.reloc...............<..............@..B.................T......H.......H...HO..........................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                    C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe:Zone.Identifier

                                    Download File
                                    Process:C:\Users\user\Desktop\Mt6QkZnVbc.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):26
                                    Entropy (8bit):3.95006375643621
                                    Encrypted:false
                                    SSDEEP:3:ggPYV:rPYV
                                    MD5:187F488E27DB4AF347237FE461A079AD
                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                    Malicious:false
                                    Preview:[ZoneTransfer]....ZoneId=0

                                    C:\Program Files (x86)\Windows Mail\RCX69BF.tmp

                                    Download File
                                    Process:C:\Users\user\Desktop\Mt6QkZnVbc.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1261056
                                    Entropy (8bit):4.761835187469292
                                    Encrypted:false
                                    SSDEEP:24576:tR28aergLxCcjZGKCKFuTBHNWdd2HAxWnUDTJ/yS3Rh:zJaDKf4p4UD1v
                                    MD5:2B82EED2D3F1990B19CAD20B9CB5A901
                                    SHA1:953D41CF14F9E62F5922F7A7CDEA2DE186F19D3B
                                    SHA-256:1A618255B4CD578926086F84970BBF81188A5559AAE09F796DA52F9EBA0D7EF8
                                    SHA-512:74BBA7D43C6F2E0D6E993EF2073FD198A999BE0A4BFF0041D3268C7CD3B525EB225B4E8E4D83AAFC14C2785058E08BF5F38E18D7D3884C837A7737B25C2425F5
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Program Files (x86)\Windows Mail\RCX69BF.tmp, Author: Joe Security
                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\Windows Mail\RCX69BF.tmp, Author: Joe Security
                                    • Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Program Files (x86)\Windows Mail\RCX69BF.tmp, Author: ditekSHen
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.........."......6...........T... ...`....@.. ....................................@..................................T..K....`............................................................................... ............... ..H............text....4... ...6.................. ..`.rsrc........`.......8..............@..@.reloc...............<..............@..B.................T......H.......H...HO..........................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                    C:\Program Files (x86)\google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\Mt6QkZnVbc.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1261056
                                    Entropy (8bit):4.762179782418735
                                    Encrypted:false
                                    SSDEEP:24576:FR28aergLxCcjZGKCKFuTBHNWdd2HAxWnUDTJ/yS3Rh:rJaDKf4p4UD1v
                                    MD5:A413419A271A45957F60706C5D2D58F4
                                    SHA1:94F94C3989D2E4C8BB4F3378E39886FD6C9A78AD
                                    SHA-256:77C2678F7E6868BA36DC19FFC6FC4928AB9BAB272F2B149CB244671919E4FDF8
                                    SHA-512:BB79BB1CE9DCB31232309A4BA5B09468D65A4A94DB78041216E94716FE69361B25DFA781E8DD83C2A704F0DD8F7B5FCBC01B0EF064349BF1324AB497A47A38D8
                                    Malicious:true
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.........."......6...........T... ...`....@.. ....................................@..................................T..K....`............................................................................... ............... ..H............text....4... ...6.................. ..`.rsrc........`.......8..............@..@.reloc...............<..............@..B.................T......H.......H...HO..........................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                    C:\Program Files (x86)\windows mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\Mt6QkZnVbc.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1261056
                                    Entropy (8bit):4.761835187469292
                                    Encrypted:false
                                    SSDEEP:24576:tR28aergLxCcjZGKCKFuTBHNWdd2HAxWnUDTJ/yS3Rh:zJaDKf4p4UD1v
                                    MD5:2B82EED2D3F1990B19CAD20B9CB5A901
                                    SHA1:953D41CF14F9E62F5922F7A7CDEA2DE186F19D3B
                                    SHA-256:1A618255B4CD578926086F84970BBF81188A5559AAE09F796DA52F9EBA0D7EF8
                                    SHA-512:74BBA7D43C6F2E0D6E993EF2073FD198A999BE0A4BFF0041D3268C7CD3B525EB225B4E8E4D83AAFC14C2785058E08BF5F38E18D7D3884C837A7737B25C2425F5
                                    Malicious:true
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.........."......6...........T... ...`....@.. ....................................@..................................T..K....`............................................................................... ............... ..H............text....4... ...6.................. ..`.rsrc........`.......8..............@..@.reloc...............<..............@..B.................T......H.......H...HO..........................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                    C:\Program Files\Windows Portable Devices\5d095569012eb4

                                    Download File
                                    Process:C:\Users\user\Desktop\Mt6QkZnVbc.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):287
                                    Entropy (8bit):5.818711935699742
                                    Encrypted:false
                                    SSDEEP:6:9uAcioQiLzyD1vE7nWEeNxHSBHpNddBnQ1RaI4mS/nYfJ0CZwqssf0v8:0AhwLzQ1viW/NBSBh7Q1Ra5/nY7s7E
                                    MD5:9843ED87AC8419FB7C21A882B37F10F2
                                    SHA1:AC022DA5082A2D27DD5868BD7AFA22B45429F50B
                                    SHA-256:70F818F9DEF1C845BB74D0D22E8FB2DC8104B05FE644054B705353D87130695F
                                    SHA-512:8FA529432836E545127B13884C6A6FB96551A53FCBCC96B409739CE2A13F4A8B54496BB7357640FD8B5807E3944193C05E787A1C9E9AE673678D287558EAD846
                                    Malicious:false
                                    Preview:yaiOlEYGFWeoK3zvSdJlIW84YJBm1wuGtT356Sevg9qCFCf0tTpj3NIbcozcCvPTlY5193zA9YFIp5yVnL3hGKMgKbdRdBsutXarHo0zepkfI9wg0dy11sMbLYqiahg7pUYSfGO8UEDbkqYKp7a9M02BK9ft8SY6ImzxldBuPzhxov0fAf2dGhuzcXHfkfACqGS70kjM5quXTFXZIAscZ5zl2AUNVfKuzeHic3pZ5qhaxXfXAsXjwhmuQrE0PV0Zf9hy8y6OVSgtXZxee7NnIk7R1WRvyyJ

                                    C:\Program Files\Windows Portable Devices\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\Mt6QkZnVbc.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1261056
                                    Entropy (8bit):4.761986175475392
                                    Encrypted:false
                                    SSDEEP:24576:1R28aergLxCcjZGKCKFuTBHNWdd2HAxWnUDTJ/yS3Rh:7JaDKf4p4UD1v
                                    MD5:49267A1E4C9CBB955209690E1D82D1D1
                                    SHA1:47FB7D48398A2049F84C4A68C96EA5AC27513CBE
                                    SHA-256:1FBCB895A6E34FB2A307C0C9896B7922EA723E5EEA183FA319C0142C5A761FDF
                                    SHA-512:26B679D6EF43B50C77D8190F3058F9732C2077B23934E44B76ED90FDAD2F0DF6A48B8FAF8F6C80E673F27167D004EC33D2E2F01F439EA4E88039BB1930A70C98
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 82%
                                    • Antivirus: Virustotal, Detection: 81%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.........."......6...........T... ...`....@.. ....................................@..................................T..K....`..L............................................................................ ............... ..H............text....4... ...6.................. ..`.rsrc...L....`.......8..............@..@.reloc...............<..............@..B.................T......H.......H...HO..........................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                    C:\Program Files\Windows Portable Devices\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe:Zone.Identifier

                                    Download File
                                    Process:C:\Users\user\Desktop\Mt6QkZnVbc.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):26
                                    Entropy (8bit):3.95006375643621
                                    Encrypted:false
                                    SSDEEP:3:ggPYV:rPYV
                                    MD5:187F488E27DB4AF347237FE461A079AD
                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                    Malicious:false
                                    Preview:[ZoneTransfer]....ZoneId=0

                                    C:\Program Files\Windows Portable Devices\RCX7115.tmp

                                    Download File
                                    Process:C:\Users\user\Desktop\Mt6QkZnVbc.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1261056
                                    Entropy (8bit):4.761964743102427
                                    Encrypted:false
                                    SSDEEP:24576:VR28aergLxCcjZGKCKFuTBHNWdd2HAxWnUDTJ/yS3Rh:bJaDKf4p4UD1v
                                    MD5:C2DEB277ADE971F7E24DDACC00A96814
                                    SHA1:BB8069363F12957300DBBE23823A55ADDABF2D83
                                    SHA-256:DF625F4E6EDC71F368ACE3948CBC605D91795C6AA262977264856A83F555DE91
                                    SHA-512:11B72CD5C310FA3C0ECC50DF81A80C976F8ABF9B530FF7399B58EE6AF616260BC3023C1A21386B9CBFAA3DFC5C306727A0C600ECE079233F2B8C856B9CC38613
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Program Files\Windows Portable Devices\RCX7115.tmp, Author: Joe Security
                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files\Windows Portable Devices\RCX7115.tmp, Author: Joe Security
                                    • Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Program Files\Windows Portable Devices\RCX7115.tmp, Author: ditekSHen
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.........."......6...........T... ...`....@.. ....................................@..................................T..K....`..\............................................................................ ............... ..H............text....4... ...6.................. ..`.rsrc...\....`.......8..............@..@.reloc...............<..............@..B.................T......H.......H...HO..........................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                    C:\Recovery\66fc9ff0ee96c2

                                    Download File
                                    Process:C:\Users\user\Desktop\Mt6QkZnVbc.exe
                                    File Type:ASCII text, with very long lines (672), with no line terminators
                                    Category:dropped
                                    Size (bytes):672
                                    Entropy (8bit):5.881592425563378
                                    Encrypted:false
                                    SSDEEP:12:QW6+HtCKGtnSEhzd4QVEOvJsQveIQmstqvwtLUMZrmH8JBQV:QW6itCK6dhuOxsbIcD4MtmH7V
                                    MD5:002A5F805108F7E5806B1BAC0FCD25FA
                                    SHA1:ACD9BED179AED05F7D35D972A19C15B7040AB837
                                    SHA-256:77680DA91F7C85BB8310D48DFF6C14344D4F6A0759040E4CB96EAA5C504486F0
                                    SHA-512:A2E8A7A8078C9E43C6AA64FC4282E729663627C93F1509750E6C717AEE5A19292BD79E4F8A36C111E2B2EF7578D744F7DC3FB4E6BE4DDD6AAFAF00EADECAF329
                                    Malicious:false
                                    Preview:oUt0mMrRzvmCjxLsf3HboaN5L045It38eBnnJpL8NhEmWEHZGXjgIZAOHypvSwJG2nihKhjzrINHWkjGtfyuJW0EBYgVAaqaY8usgjPjyuz9M32hOiCw8Y6gwegvBNzRcwsXz0kJPP5Zg11Hg8HbY3c9BO5BDehl4hgZKerY82htch95mYOCGY3jUtWl4iGvrUe9Uc6CRscfVsgePAZoPefgo6EbHFdawvBICAkKcMvX5XNmM2W4IbgMz8UYXf4LOCtkqYcPZPMCtHkRtcOPtjRUOyTDpMw6SkJ3nn5yaHe3OedrYDo5RobouZV2FYjNcQtJ8qnGgZzmFXGuVlplh1pnIeJORDtBhRb8uUsraiY1zzjXTlhdt7pllGBehZzdqyEy6HAA27L9cxyS5w5qfQRjl0WnTOKAt4KBuubLkgkvwpIxSsjveI8agfMFuWroxKQimwiKUtF9pgx5rjVlpYgk6ufPiVaOz57lZkKfKYauD8u9rRYLAG8Zopl2RSm9T0JuiMfHYzbQ8wg7AfhQ6ONt7i6u8SO1wabNzAbfvRwLosb2Jo1vuVDEmaxAPvIFljdhVTIAECfpcCEOHEkUbcGbXWkYNaP9IqkFO3g0g1rszXmkVi2KKyoIdCK8stwnwfgvb9ANhuyjvXl9u9CohFzUCclLtiHw

                                    C:\Recovery\6cb0b6c459d5d3

                                    Download File
                                    Process:C:\Users\user\Desktop\Mt6QkZnVbc.exe
                                    File Type:ASCII text, with very long lines (717), with no line terminators
                                    Category:dropped
                                    Size (bytes):717
                                    Entropy (8bit):5.900401254757391
                                    Encrypted:false
                                    SSDEEP:12:FNTDMmcilGWqO48SoInUxszcnfwca3x4bRjnBd44y4nIrtHxRIg6dGCMilo7eAET:jFKO5SRnoMzh4NdJ5nEyHdYeHjOHoWkB
                                    MD5:E5A5D71369504D85B3417AF97F14F762
                                    SHA1:1B7E2029303C1753A31C21D9D7F2A6B52A203BEF
                                    SHA-256:0E6B4C4D2EC2E9C1C60C1FE2A17158180A735F8126F1E60A900BBBE355D22F10
                                    SHA-512:028A72D60D90E3FABE92A46DC3F7AEB953CE8EEA01EC094439EF3FF3E7958108EB15AA441A7B04F1B08744A65AB7AF606A719C38A44B22FA95E0ADEE33B2FE67
                                    Malicious:false
                                    Preview:ZZWnDqeWyDNXnJsNuEpb8hyY94mnrpVglcYCaOiZJQrhWHF1dL9WGdt1l7nIE1oJrqwLupxgfPRszQB2zuJgq8ZHsgbckZVRli0pU4GxYc11LBCV6uTUsIctRocOOU5G39GRaVh5nVINHh5reGgzGBjdFGYqb2jEgu7M5u4kMYqXAOmtsvtIxF92ZmLT71duvErWktvuL5nsUMd0eo7qJaQauFwTjlnV55l6hPJ99872cRhNIVyS4wlVxQlf7cLjSRwZlhSPf8qKdY7dhiKNxUaIUPIRooBhxYjLeIlkCjw6Fa1ZSI7YR7v71oFVZAl16JWFyw8Z6jLOieD3Ys9fqnQ0mlT0CQLB8496DwkfJibrvhZWkM7rBFLT3gcNcIWqYJQneHzlHeWHLiEEM7P0Te93tqDhTXCBMvTmRv2dWWjhsDHUbYBf2fX4JW4xDSRtbU5aOcxaFwe64cKpjsF5WgJqXZc41EaDEzFYIrG9llaGBa9rMOOVMVX5LOCz92iAWa1EXvg2mFUvGDp6ZvrnzE1tcKN3oR9sCZuki5UarWtHBmzHjFZOK5KRjImMimOUGlsqTEYebR5dVtr0VFUi1viHOcBZTH1FIYAZ3Iyfr5x39r6zbv1dSpdVDkb0C8KTZ0V6tS7MQz067oIhgM8hQYwc5pWSq8ctueeJV9GIyoNdzhXYc4T09nDBD3BD6ogRWHLdK8LhF0tlK

                                    C:\Recovery\RCX67AA.tmp

                                    Download File
                                    Process:C:\Users\user\Desktop\Mt6QkZnVbc.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1261056
                                    Entropy (8bit):4.761923684436933
                                    Encrypted:false
                                    SSDEEP:24576:1R28aergLxCcjZGKCKFuTBHNWdd2HAxWnUDTJ/yS3Rh:7JaDKf4p4UD1v
                                    MD5:57BA17330684FF20862AEA6D2FA7FDB7
                                    SHA1:898E48F9B32FCF2F68B0FF9C76D91417C84F8DF2
                                    SHA-256:D80B2C68CE3A55DF46B72D7AD1F8E8C82E2FF1A69913D810346F66241E293064
                                    SHA-512:CAD90BB249F5380CE8E1F297BD0552A16606876D4E2E2F24AE52FD79782B61E4634BEF07561704A44BD811D66EA8CDBC0E1E1BE1A583FC43169A7337CD04EC77
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Recovery\RCX67AA.tmp, Author: Joe Security
                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Recovery\RCX67AA.tmp, Author: Joe Security
                                    • Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Recovery\RCX67AA.tmp, Author: ditekSHen
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.........."......6...........T... ...`....@.. ....................................@..................................T..K....`..l............................................................................ ............... ..H............text....4... ...6.................. ..`.rsrc...l....`.......8..............@..@.reloc...............<..............@..B.................T......H.......H...HO..........................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                    C:\Recovery\RCX6C11.tmp

                                    Download File
                                    Process:C:\Users\user\Desktop\Mt6QkZnVbc.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1261056
                                    Entropy (8bit):4.76205118726001
                                    Encrypted:false
                                    SSDEEP:24576:tR28aergLxCcjZGKCKFuTBHNWdd2HAxWnUDTJ/yS3Rh:zJaDKf4p4UD1v
                                    MD5:99A4D8504AA239EC8A2AE5FEDDA79F16
                                    SHA1:E7388F99A9B5FC7EA59FC4559403443697C44318
                                    SHA-256:E774624BF4B90A4AC081DC711C3CF0ED5C0CB052999ADE9D36D0D70705BAC561
                                    SHA-512:713A8DDB446FEDE19AB4F3C2F571AB8A3BB271E278F276E839CEA99A0A9D36E9F5D7F67013C3601FA9F8EAF86E680BD580750D7EB5082D1DC928EEB7A3945596
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Recovery\RCX6C11.tmp, Author: Joe Security
                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Recovery\RCX6C11.tmp, Author: Joe Security
                                    • Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Recovery\RCX6C11.tmp, Author: ditekSHen
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.........."......6...........T... ...`....@.. ....................................@..................................T..K....`..8............................................................................ ............... ..H............text....4... ...6.................. ..`.rsrc...8....`.......8..............@..@.reloc...............<..............@..B.................T......H.......H...HO..........................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                    C:\Recovery\RCX786B.tmp

                                    Download File
                                    Process:C:\Users\user\Desktop\Mt6QkZnVbc.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1261056
                                    Entropy (8bit):4.761832652525472
                                    Encrypted:false
                                    SSDEEP:24576:NR28aergLxCcjZGKCKFuTBHNWdd2HAxWnUDTJ/yS3Rh:TJaDKf4p4UD1v
                                    MD5:F2242C5503CE271DA7BA13CD05477D13
                                    SHA1:FB624A471CB27C7CD817DED93EEE33F473139E42
                                    SHA-256:59B068E5CE6FD816368004EE174EB141BA30662EE1CC18909893C59B37AB7C58
                                    SHA-512:C88508A642EB4065F48CCC23FC2E05EECD11C225208DC0AD850AACE784E9BF2E0EDD09C9C9C933ACB3ED53B101C57CD8D050E07D9B77704DD32CE5D43D950BC7
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Recovery\RCX786B.tmp, Author: Joe Security
                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Recovery\RCX786B.tmp, Author: Joe Security
                                    • Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Recovery\RCX786B.tmp, Author: ditekSHen
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.........."......6...........T... ...`....@.. ....................................@..................................T..K....`............................................................................... ............... ..H............text....4... ...6.................. ..`.rsrc........`.......8..............@..@.reloc...............<..............@..B.................T......H.......H...HO..........................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                    C:\Recovery\c5b4cb5e9653cc

                                    Download File
                                    Process:C:\Users\user\Desktop\Mt6QkZnVbc.exe
                                    File Type:ASCII text, with very long lines (312), with no line terminators
                                    Category:dropped
                                    Size (bytes):312
                                    Entropy (8bit):5.819169268705761
                                    Encrypted:false
                                    SSDEEP:6:ikyCpqJIVrGV3cIrsQGrY6E/10KOgNDGvPgOOw4WX5nVyIQX8GbNgL3I41sC:xiIUcIrxGrS/36AOh4WXxAIGlgL441l
                                    MD5:CD76D1951A263801852FB44857920135
                                    SHA1:8E31A9F2E46AAB377A145ACA0AA3719AD1F3B160
                                    SHA-256:899319A5F5E097C7C0CB688289B101ACCDC65E61E39AA2EAB759F414B86A1734
                                    SHA-512:B3D0C926534396C624C59DE3D1174DE3EC64180E668AE0A9894B36DC35261BF2C3CE7F7E8EC4B075F6EAB045C971C43478A67CEBDFE2701A6EDE3DEEF2D85B4A
                                    Malicious:false
                                    Preview:Rn63dWx3PGbJCNAmliwkQdeWy2sHl3bGdB9co6awbhp0NMn6zd75TICxIjElnpRVpUqBOi8pHAIsyoJmOvSI5fxU8LTF1zIvPTL2gmsQeSxS9T9dZcW1XIZJhVCCO2xS1WdfdQFmCBonseUoM0pYcRYG3BVKjqCmffbm0eAJXuyVewaCAYzYNYzk8Wlb45CW9BHNDrxszgBscDmGlSJL1nZGp0oe2iObscVcoN9TkHiqXHI4tf0mv0fWmBhMDT0RRjA9rJbXS0ltFstisuuWsmq179znqwQQRRYxHINkDcT5PvR4S8eSidjp

                                    C:\Recovery\dwm.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\Mt6QkZnVbc.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1261056
                                    Entropy (8bit):4.761986175475392
                                    Encrypted:false
                                    SSDEEP:24576:1R28aergLxCcjZGKCKFuTBHNWdd2HAxWnUDTJ/yS3Rh:7JaDKf4p4UD1v
                                    MD5:49267A1E4C9CBB955209690E1D82D1D1
                                    SHA1:47FB7D48398A2049F84C4A68C96EA5AC27513CBE
                                    SHA-256:1FBCB895A6E34FB2A307C0C9896B7922EA723E5EEA183FA319C0142C5A761FDF
                                    SHA-512:26B679D6EF43B50C77D8190F3058F9732C2077B23934E44B76ED90FDAD2F0DF6A48B8FAF8F6C80E673F27167D004EC33D2E2F01F439EA4E88039BB1930A70C98
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Recovery\dwm.exe, Author: Joe Security
                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Recovery\dwm.exe, Author: Joe Security
                                    • Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Recovery\dwm.exe, Author: ditekSHen
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 82%
                                    • Antivirus: Virustotal, Detection: 81%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.........."......6...........T... ...`....@.. ....................................@..................................T..K....`..L............................................................................ ............... ..H............text....4... ...6.................. ..`.rsrc...L....`.......8..............@..@.reloc...............<..............@..B.................T......H.......H...HO..........................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                    C:\Recovery\dwm.exe:Zone.Identifier

                                    Download File
                                    Process:C:\Users\user\Desktop\Mt6QkZnVbc.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):26
                                    Entropy (8bit):3.95006375643621
                                    Encrypted:false
                                    SSDEEP:3:ggPYV:rPYV
                                    MD5:187F488E27DB4AF347237FE461A079AD
                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                    Malicious:false
                                    Preview:[ZoneTransfer]....ZoneId=0

                                    C:\Recovery\services.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\Mt6QkZnVbc.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1261056
                                    Entropy (8bit):4.761986175475392
                                    Encrypted:false
                                    SSDEEP:24576:1R28aergLxCcjZGKCKFuTBHNWdd2HAxWnUDTJ/yS3Rh:7JaDKf4p4UD1v
                                    MD5:49267A1E4C9CBB955209690E1D82D1D1
                                    SHA1:47FB7D48398A2049F84C4A68C96EA5AC27513CBE
                                    SHA-256:1FBCB895A6E34FB2A307C0C9896B7922EA723E5EEA183FA319C0142C5A761FDF
                                    SHA-512:26B679D6EF43B50C77D8190F3058F9732C2077B23934E44B76ED90FDAD2F0DF6A48B8FAF8F6C80E673F27167D004EC33D2E2F01F439EA4E88039BB1930A70C98
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Recovery\services.exe, Author: Joe Security
                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Recovery\services.exe, Author: Joe Security
                                    • Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Recovery\services.exe, Author: ditekSHen
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 82%
                                    • Antivirus: Virustotal, Detection: 81%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.........."......6...........T... ...`....@.. ....................................@..................................T..K....`..L............................................................................ ............... ..H............text....4... ...6.................. ..`.rsrc...L....`.......8..............@..@.reloc...............<..............@..B.................T......H.......H...HO..........................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                    C:\Recovery\services.exe:Zone.Identifier

                                    Download File
                                    Process:C:\Users\user\Desktop\Mt6QkZnVbc.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):26
                                    Entropy (8bit):3.95006375643621
                                    Encrypted:false
                                    SSDEEP:3:ggPYV:rPYV
                                    MD5:187F488E27DB4AF347237FE461A079AD
                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                    Malicious:false
                                    Preview:[ZoneTransfer]....ZoneId=0

                                    C:\Recovery\sihost.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\Mt6QkZnVbc.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1261056
                                    Entropy (8bit):4.761986175475392
                                    Encrypted:false
                                    SSDEEP:24576:1R28aergLxCcjZGKCKFuTBHNWdd2HAxWnUDTJ/yS3Rh:7JaDKf4p4UD1v
                                    MD5:49267A1E4C9CBB955209690E1D82D1D1
                                    SHA1:47FB7D48398A2049F84C4A68C96EA5AC27513CBE
                                    SHA-256:1FBCB895A6E34FB2A307C0C9896B7922EA723E5EEA183FA319C0142C5A761FDF
                                    SHA-512:26B679D6EF43B50C77D8190F3058F9732C2077B23934E44B76ED90FDAD2F0DF6A48B8FAF8F6C80E673F27167D004EC33D2E2F01F439EA4E88039BB1930A70C98
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Recovery\sihost.exe, Author: Joe Security
                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Recovery\sihost.exe, Author: Joe Security
                                    • Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Recovery\sihost.exe, Author: ditekSHen
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 82%
                                    • Antivirus: Virustotal, Detection: 81%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.........."......6...........T... ...`....@.. ....................................@..................................T..K....`..L............................................................................ ............... ..H............text....4... ...6.................. ..`.rsrc...L....`.......8..............@..@.reloc...............<..............@..B.................T......H.......H...HO..........................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                    C:\Recovery\sihost.exe:Zone.Identifier

                                    Download File
                                    Process:C:\Users\user\Desktop\Mt6QkZnVbc.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):26
                                    Entropy (8bit):3.95006375643621
                                    Encrypted:false
                                    SSDEEP:3:ggPYV:rPYV
                                    MD5:187F488E27DB4AF347237FE461A079AD
                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                    Malicious:false
                                    Preview:[ZoneTransfer]....ZoneId=0

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe.log

                                    Download File
                                    Process:C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe
                                    File Type:CSV text
                                    Category:dropped
                                    Size (bytes):1281
                                    Entropy (8bit):5.370111951859942
                                    Encrypted:false
                                    SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                                    MD5:12C61586CD59AA6F2A21DF30501F71BD
                                    SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                                    SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                                    SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                                    Malicious:false
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Mt6QkZnVbc.exe.log

                                    Download File
                                    Process:C:\Users\user\Desktop\Mt6QkZnVbc.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1830
                                    Entropy (8bit):5.3661116947161815
                                    Encrypted:false
                                    SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkrJHpHNpaHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKktJtpaqZ8
                                    MD5:FE86BB9E3E84E6086797C4D5A9C909F2
                                    SHA1:14605A3EA146BAB4EE536375A445B0214CD40A97
                                    SHA-256:214AB589DBBBE5EC116663F82378BBD6C50DE3F6DD30AB9CF937B9D08DEBE2C6
                                    SHA-512:07EB2B39DA16F130525D40A80508F8633A18491633D41E879C3A490391A6535FF538E4392DA03482D4F8935461CA032BA2B4FB022A74C508B69F395FC2A9C048
                                    Malicious:false
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\UserOOBEBroker.exe.log

                                    Download File
                                    Process:C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe
                                    File Type:CSV text
                                    Category:dropped
                                    Size (bytes):1281
                                    Entropy (8bit):5.370111951859942
                                    Encrypted:false
                                    SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                                    MD5:12C61586CD59AA6F2A21DF30501F71BD
                                    SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                                    SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                                    SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                                    Malicious:false
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log

                                    Download File
                                    Process:C:\Recovery\dwm.exe
                                    File Type:CSV text
                                    Category:dropped
                                    Size (bytes):1281
                                    Entropy (8bit):5.370111951859942
                                    Encrypted:false
                                    SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                                    MD5:12C61586CD59AA6F2A21DF30501F71BD
                                    SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                                    SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                                    SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                                    Malicious:false
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log

                                    Download File
                                    Process:C:\Recovery\services.exe
                                    File Type:CSV text
                                    Category:dropped
                                    Size (bytes):1281
                                    Entropy (8bit):5.370111951859942
                                    Encrypted:false
                                    SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                                    MD5:12C61586CD59AA6F2A21DF30501F71BD
                                    SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                                    SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                                    SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                                    Malicious:false
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

                                    Download File
                                    Process:C:\Recovery\sihost.exe
                                    File Type:CSV text
                                    Category:dropped
                                    Size (bytes):1281
                                    Entropy (8bit):5.370111951859942
                                    Encrypted:false
                                    SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                                    MD5:12C61586CD59AA6F2A21DF30501F71BD
                                    SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                                    SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                                    SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                                    Malicious:false
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                    C:\Users\user\AppData\Local\Temp\59a07570a8a8386aa1a299e6ab573f686e7e81544.5.321e942f7529053d3bf5a939edfacdca5e36682859

                                    Download File
                                    Process:C:\Users\user\Desktop\Mt6QkZnVbc.exe
                                    File Type:ASCII text, with very long lines (644), with no line terminators
                                    Category:dropped
                                    Size (bytes):644
                                    Entropy (8bit):5.4492644908983054
                                    Encrypted:false
                                    SSDEEP:12:xO4Pnu0/I+e94iYDFWy04akWSUeafIVFJBRafImvB1PL89e94vG5FWy0npKy:tPuJ+ep0W145WwBnRBo17nW1nl
                                    MD5:03780022AB1955AD3BD0BF6648AC36F0
                                    SHA1:713F8776409E1D08E33AC411576F44FE31ED0C93
                                    SHA-256:A805EDFE2C7E018F733374EF43A8DD5ADB985F2B40DBADD77258B0898387B592
                                    SHA-512:03C49DD1543A05D50972430A23930B99A390BB8D839B0C3965AA500437C2DA209358370D141E1880BF8B73851FA03FBB02C8171A396913A2F33DD286B5D2786D
                                    Malicious:false
                                    Preview:WyJDOlxcVXNlcnNcXGpvbmVzXFxEZXNrdG9wXFxNdDZRa1puVmJjLmV4ZSIsIkM6XFxSZWNvdmVyeVxcc2VydmljZXMuZXhlIiwiQzpcXFByb2dyYW0gRmlsZXMgKHg4NilcXHdpbmRvd3MgbWFpbFxcQnhwWER3THp6Z1BES2t3SEZ0c1ViR2dBam4uZXhlIiwiQzpcXFJlY292ZXJ5XFxkd20uZXhlIiwiQzpcXFdpbmRvd3NcXFNLQlxcTGFuZ3VhZ2VNb2RlbHNcXEJ4cFhEd0x6emdQREtrd0hGdHNVYkdnQWpuLmV4ZSIsIkM6XFxQcm9ncmFtIEZpbGVzXFxXaW5kb3dzIFBvcnRhYmxlIERldmljZXNcXEJ4cFhEd0x6emdQREtrd0hGdHNVYkdnQWpuLmV4ZSIsIkM6XFxXaW5kb3dzXFxTZXJ2aWNlUHJvZmlsZXNcXExvY2FsU2VydmljZVxcRGVza3RvcFxcVXNlck9PQkVCcm9rZXIuZXhlIiwiQzpcXFByb2dyYW0gRmlsZXMgKHg4NilcXGdvb2dsZVxcQnhwWER3THp6Z1BES2t3SEZ0c1ViR2dBam4uZXhlIiwiQzpcXFJlY292ZXJ5XFxzaWhvc3QuZXhlIl0=

                                    C:\Users\user\Desktop\Mt6QkZnVbc.exe (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\Mt6QkZnVbc.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1261056
                                    Entropy (8bit):4.761867509761851
                                    Encrypted:false
                                    SSDEEP:24576:FR28aergLxCcjZGKCKFuTBHNWdd2HAxWnUDTJ/yS3Rh:rJaDKf4p4UD1v
                                    MD5:B28AA7EA383E0161ECBE6B73392B0BF1
                                    SHA1:38EC3EE65ECD219F03DFCBEE5F1F9F66F81DA5DE
                                    SHA-256:014C8663D769AC46B9B278A4D848BBBE492A68E45489E9347BB7116D4E61FEA2
                                    SHA-512:624CBA17ED8C63718A7C7EF9037EF7E3A498C0FB3F08DCE5350C1D14B4E4C9CFF9981076D7ED8FC4BA9F50E356C5B0DFB72BB3287BB755BF960D142B5F426FE2
                                    Malicious:true
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.........."......6...........T... ...`....@.. ....................................@..................................T..K....`..t............................................................................ ............... ..H............text....4... ...6.................. ..`.rsrc...t....`.......8..............@..@.reloc...............<..............@..B.................T......H.......H...HO..........................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                    C:\Users\user\Desktop\RCX6567.tmp

                                    Download File
                                    Process:C:\Users\user\Desktop\Mt6QkZnVbc.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1261056
                                    Entropy (8bit):4.761867509761851
                                    Encrypted:false
                                    SSDEEP:24576:FR28aergLxCcjZGKCKFuTBHNWdd2HAxWnUDTJ/yS3Rh:rJaDKf4p4UD1v
                                    MD5:B28AA7EA383E0161ECBE6B73392B0BF1
                                    SHA1:38EC3EE65ECD219F03DFCBEE5F1F9F66F81DA5DE
                                    SHA-256:014C8663D769AC46B9B278A4D848BBBE492A68E45489E9347BB7116D4E61FEA2
                                    SHA-512:624CBA17ED8C63718A7C7EF9037EF7E3A498C0FB3F08DCE5350C1D14B4E4C9CFF9981076D7ED8FC4BA9F50E356C5B0DFB72BB3287BB755BF960D142B5F426FE2
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Users\user\Desktop\RCX6567.tmp, Author: Joe Security
                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\Desktop\RCX6567.tmp, Author: Joe Security
                                    • Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Users\user\Desktop\RCX6567.tmp, Author: ditekSHen
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.........."......6...........T... ...`....@.. ....................................@..................................T..K....`..t............................................................................ ............... ..H............text....4... ...6.................. ..`.rsrc...t....`.......8..............@..@.reloc...............<..............@..B.................T......H.......H...HO..........................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                    C:\Windows\SKB\LanguageModels\5d095569012eb4

                                    Download File
                                    Process:C:\Users\user\Desktop\Mt6QkZnVbc.exe
                                    File Type:ASCII text, with very long lines (735), with no line terminators
                                    Category:dropped
                                    Size (bytes):735
                                    Entropy (8bit):5.8776201297558766
                                    Encrypted:false
                                    SSDEEP:12:WSjIL21eUUMsWSYrWgdllBoQRHIFm3va8Dfj0J862fs88oXIu:WXL0ULWXrblJRa8Ljo44Vu
                                    MD5:FBC4EF3BA7829B0B53A3ABB9244676BE
                                    SHA1:52994EC7C651A89515E58EE5AA47C64D4AF92A63
                                    SHA-256:06B11255B3971004FF5AFCFA133F96968C0DD6812F4B9333AC89758D22B74261
                                    SHA-512:E926850251DAA9C216EBDB1CEE2A07E85E614622B370AC828FC84D2702BEC1F91B66E371DDF3F96B592DD538E04506C3D326B28F75B83D95838B3157B8639094
                                    Malicious:false
                                    Preview:HbdFc7DMKI5GrV4NeswuJ3b0uQnu8yunuYECr3tjCnjdPM5CXtVC10jN9mUMTSOVXSVTR2gk9NsgU7liUlWOdrv4y1CEigPtZOF70lufNvDoID2CBv1s591qgbfa0bBc88HG2oss01BsoHwu8ACxphyaWYaZGUpvtkpJ6vJXDI1D7JCYpub0YOxbKqudNSmfMP8DbmyM0ptgpucMWBtW3yXexO8PBqKugV1rK86C5O9tfQvaOhGLjQmX2dQNoiLJe8AT2uCXFraoyn9gciBdj8LPsdzqstYXD0OhPbhdftG108iPeuuFhsjfwvlZ5WpWSDl8ZcRBAh802TZu5kM88SzURsue0IiJEujxXkzBdtEAtsncV0eVJrX9NQrqrwK29zwIumXUuKfPOyliFRIAoM9XWjjG2JUqiMB46estdJl9LHvZpIlZnKOw0ZwLCQbl0yqBxrlljYgfl9LOxKbuh4CY8ODhshrMr9JXbtl8h90OntL1NhX2zrD6vSDjnE3CrUxlzxxEidMhDxvPCMTKJyW96NlJqBUcGxhS5kBZtTTWef28hyhavs228xomMoYgIubPQcTbL3b0fAeaVml1e3rY5oUH5ZNE5wNuEmrEeFP1QCX7SOQjCgBPCCUlHLgwqW5swuWt5hWZozH2QWzrInBYv8rBRF6TjcL3HpKi1hofJmkN5bVuWyoCVg7yCUbzkD0LnNvlMRzk8gOIXeGzuL6uyJiksWf

                                    C:\Windows\SKB\LanguageModels\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\Mt6QkZnVbc.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1261056
                                    Entropy (8bit):4.761986175475392
                                    Encrypted:false
                                    SSDEEP:24576:1R28aergLxCcjZGKCKFuTBHNWdd2HAxWnUDTJ/yS3Rh:7JaDKf4p4UD1v
                                    MD5:49267A1E4C9CBB955209690E1D82D1D1
                                    SHA1:47FB7D48398A2049F84C4A68C96EA5AC27513CBE
                                    SHA-256:1FBCB895A6E34FB2A307C0C9896B7922EA723E5EEA183FA319C0142C5A761FDF
                                    SHA-512:26B679D6EF43B50C77D8190F3058F9732C2077B23934E44B76ED90FDAD2F0DF6A48B8FAF8F6C80E673F27167D004EC33D2E2F01F439EA4E88039BB1930A70C98
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 82%
                                    • Antivirus: Virustotal, Detection: 81%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.........."......6...........T... ...`....@.. ....................................@..................................T..K....`..L............................................................................ ............... ..H............text....4... ...6.................. ..`.rsrc...L....`.......8..............@..@.reloc...............<..............@..B.................T......H.......H...HO..........................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                    C:\Windows\SKB\LanguageModels\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe:Zone.Identifier

                                    Download File
                                    Process:C:\Users\user\Desktop\Mt6QkZnVbc.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):26
                                    Entropy (8bit):3.95006375643621
                                    Encrypted:false
                                    SSDEEP:3:ggPYV:rPYV
                                    MD5:187F488E27DB4AF347237FE461A079AD
                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                    Malicious:false
                                    Preview:[ZoneTransfer]....ZoneId=0

                                    C:\Windows\SKB\LanguageModels\RCX6E93.tmp

                                    Download File
                                    Process:C:\Users\user\Desktop\Mt6QkZnVbc.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1261056
                                    Entropy (8bit):4.761982779586096
                                    Encrypted:false
                                    SSDEEP:24576:FR28aergLxCcjZGKCKFuTBHNWdd2HAxWnUDTJ/yS3Rh:rJaDKf4p4UD1v
                                    MD5:FD8AA1D006F5C3DD7CA7FB2CFF1809AE
                                    SHA1:B3D94AC35E1E677A95535F22EAA3D05A1AA071E2
                                    SHA-256:2BF870777E0388EF47F0F95432E45844909FAE275A965C992343E096A48537E4
                                    SHA-512:5D36FDB7A9A8D76D02AD823125F74039BC4D2B5FEEE242ED1C588559FA5F81CB24F3EC36D4CC31C4976EACFCAB4438D47F8079580FF97732F33985AD95A09C73
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Windows\SKB\LanguageModels\RCX6E93.tmp, Author: Joe Security
                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Windows\SKB\LanguageModels\RCX6E93.tmp, Author: Joe Security
                                    • Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Windows\SKB\LanguageModels\RCX6E93.tmp, Author: ditekSHen
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.........."......6...........T... ...`....@.. ....................................@..................................T..K....`..T............................................................................ ............... ..H............text....4... ...6.................. ..`.rsrc...T....`.......8..............@..@.reloc...............<..............@..B.................T......H.......H...HO..........................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                    C:\Windows\ServiceProfiles\LocalService\Desktop\7ccfebd9e92364

                                    Download File
                                    Process:C:\Users\user\Desktop\Mt6QkZnVbc.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):143
                                    Entropy (8bit):5.6301119459399995
                                    Encrypted:false
                                    SSDEEP:3:JahgCF0A0qTVc0WnQjzrcdIprGKdWnBRQzTtLsqaQaD3MWS:JaRF0A0qTVc0WQjzIdIprG1QzZL3PI3C
                                    MD5:ECC07294D8D55E4F95C863C0664CBC94
                                    SHA1:78ACFA862BCFEE81137AA78648B58DD0978703E0
                                    SHA-256:150578794EFD7E7CCF27CAE970E94C8F323EC49C930D54CF7715202B1422E784
                                    SHA-512:7E9296C13F373DABB4E67094813FBF5160B3A3FBD0547F596B9975BAE6C9C91EC0E93941CD8C10EB40B7F7C2056CD78EED17F3D73820E3CC7FB9F93D9016CF05
                                    Malicious:false
                                    Preview:OdA3W13jVSHMR5CQ6lhKZgI63QeApxhC1AVdQ89Z2Pc1cn09vjuxnlssUDAGX24iuFVQji98mIRKDRePaeOFDuZQRnIM83B9U4GWSjZMkvLfThoDjuq2ozfAqE96ZwAsGS0JLH70FCfRi37

                                    C:\Windows\ServiceProfiles\LocalService\Desktop\RCX73C5.tmp

                                    Download File
                                    Process:C:\Users\user\Desktop\Mt6QkZnVbc.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1261056
                                    Entropy (8bit):4.7620228520844945
                                    Encrypted:false
                                    SSDEEP:24576:NR28aergLxCcjZGKCKFuTBHNWdd2HAxWnUDTJ/yS3Rh:TJaDKf4p4UD1v
                                    MD5:7B0F077F45AE0E9A6BEF0B806BBB185F
                                    SHA1:377A6BD6DBFE41909C7A52FFCE7F77580F7AAF59
                                    SHA-256:68C8E0243226EEB82DAFA9E34758372BD7D82078A969D292123F9144BA4B6B37
                                    SHA-512:AE182E8F1845C1209A6134D34D1A03C0851C5668AA5FA89EA3BB5F3EF7B1E8DFDF17BE100C3D7BC91CE682EF2A78152177A0FEEEF31066F48B65DB1FF2A15C86
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Windows\ServiceProfiles\LocalService\Desktop\RCX73C5.tmp, Author: Joe Security
                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Windows\ServiceProfiles\LocalService\Desktop\RCX73C5.tmp, Author: Joe Security
                                    • Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Windows\ServiceProfiles\LocalService\Desktop\RCX73C5.tmp, Author: ditekSHen
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.........."......6...........T... ...`....@.. ....................................@..................................T..K....`..@............................................................................ ............... ..H............text....4... ...6.................. ..`.rsrc...@....`.......8..............@..@.reloc...............<..............@..B.................T......H.......H...HO..........................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                    C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\Mt6QkZnVbc.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1261056
                                    Entropy (8bit):4.761986175475392
                                    Encrypted:false
                                    SSDEEP:24576:1R28aergLxCcjZGKCKFuTBHNWdd2HAxWnUDTJ/yS3Rh:7JaDKf4p4UD1v
                                    MD5:49267A1E4C9CBB955209690E1D82D1D1
                                    SHA1:47FB7D48398A2049F84C4A68C96EA5AC27513CBE
                                    SHA-256:1FBCB895A6E34FB2A307C0C9896B7922EA723E5EEA183FA319C0142C5A761FDF
                                    SHA-512:26B679D6EF43B50C77D8190F3058F9732C2077B23934E44B76ED90FDAD2F0DF6A48B8FAF8F6C80E673F27167D004EC33D2E2F01F439EA4E88039BB1930A70C98
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe, Author: Joe Security
                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe, Author: Joe Security
                                    • Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe, Author: ditekSHen
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 82%
                                    • Antivirus: Virustotal, Detection: 81%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.........."......6...........T... ...`....@.. ....................................@..................................T..K....`..L............................................................................ ............... ..H............text....4... ...6.................. ..`.rsrc...L....`.......8..............@..@.reloc...............<..............@..B.................T......H.......H...HO..........................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                    C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe:Zone.Identifier

                                    Download File
                                    Process:C:\Users\user\Desktop\Mt6QkZnVbc.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):26
                                    Entropy (8bit):3.95006375643621
                                    Encrypted:false
                                    SSDEEP:3:ggPYV:rPYV
                                    MD5:187F488E27DB4AF347237FE461A079AD
                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                    Malicious:false
                                    Preview:[ZoneTransfer]....ZoneId=0

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Entropy (8bit):4.761986175475392
                                    TrID:
                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                    • Windows Screen Saver (13104/52) 0.07%
                                    • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                    File name:Mt6QkZnVbc.exe
                                    File size:1'261'056 bytes
                                    MD5:49267a1e4c9cbb955209690e1d82d1d1
                                    SHA1:47fb7d48398a2049f84c4a68c96ea5ac27513cbe
                                    SHA256:1fbcb895a6e34fb2a307c0c9896b7922ea723e5eea183fa319c0142c5a761fdf
                                    SHA512:26b679d6ef43b50c77d8190f3058f9732c2077b23934e44b76ed90fdad2f0df6a48b8faf8f6c80e673f27167d004ec33d2e2f01f439ea4e88039bb1930a70c98
                                    SSDEEP:24576:1R28aergLxCcjZGKCKFuTBHNWdd2HAxWnUDTJ/yS3Rh:7JaDKf4p4UD1v
                                    TLSH:694531342EEA502AF173AF7D8AE47596DA5EBBA33707985D00B103C60723A42DDD153E
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....rb.........."......6...........T... ...`....@.. ....................................@................................

                                    File Icon

                                    Icon Hash:90cececece8e8eb0

                                    Static PE Info

                                    General

                                    Entrypoint:0x5354de
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x6272A3D7 [Wed May 4 16:03:35 2022 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                    Entrypoint Preview

                                    Instruction
                                    jmp dword ptr [00402000h]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x1354900x4b.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x1360000x34c.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1380000xc.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x20000x1334e40x1336002f6c18bc1343fd467c12b13028cf68abFalse0.4657809958316389data4.764029626996463IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rsrc0x1360000x34c0x4005b9bec0e99d0153a37d830c75b050599False0.4580078125data4.002161388556511IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0x1380000xc0x2002ce17e34ccca2ca87b688e81811f9c03False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_VERSION0x1360580x2f4dataEnglishUnited States0.5555555555555556

                                    Imports

                                    DLLImport
                                    mscoree.dll_CorExeMain

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishUnited States

                                    Network Behavior

                                    No network behavior found

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:02:01:56
                                    Start date:17/04/2024
                                    Path:C:\Users\user\Desktop\Mt6QkZnVbc.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\Desktop\Mt6QkZnVbc.exe"
                                    Imagebase:0xec0000
                                    File size:1'261'056 bytes
                                    MD5 hash:49267A1E4C9CBB955209690E1D82D1D1
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1814092338.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000000.1690631223.0000000000EC2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:4
                                    Start time:02:02:01
                                    Start date:17/04/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\services.exe'" /f
                                    Imagebase:0x7ff76f990000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:5
                                    Start time:02:02:01
                                    Start date:17/04/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\services.exe'" /rl HIGHEST /f
                                    Imagebase:0x7ff76f990000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:6
                                    Start time:02:02:01
                                    Start date:17/04/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\services.exe'" /rl HIGHEST /f
                                    Imagebase:0x7ff76f990000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:7
                                    Start time:02:02:01
                                    Start date:17/04/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjnB" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\windows mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /f
                                    Imagebase:0x7ff76f990000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:8
                                    Start time:02:02:01
                                    Start date:17/04/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjn" /sc ONLOGON /tr "'C:\Program Files (x86)\windows mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /rl HIGHEST /f
                                    Imagebase:0x7ff76f990000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:9
                                    Start time:02:02:01
                                    Start date:17/04/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjnB" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\windows mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /rl HIGHEST /f
                                    Imagebase:0x7ff76f990000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:10
                                    Start time:02:02:02
                                    Start date:17/04/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\dwm.exe'" /f
                                    Imagebase:0x7ff76f990000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:11
                                    Start time:02:02:02
                                    Start date:17/04/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\dwm.exe'" /rl HIGHEST /f
                                    Imagebase:0x7ff76f990000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:12
                                    Start time:02:02:02
                                    Start date:17/04/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\dwm.exe'" /rl HIGHEST /f
                                    Imagebase:0x7ff76f990000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:13
                                    Start time:02:02:02
                                    Start date:17/04/2024
                                    Path:C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Program Files (x86)\windows mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe"
                                    Imagebase:0xf50000
                                    File size:1'261'056 bytes
                                    MD5 hash:49267A1E4C9CBB955209690E1D82D1D1
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000D.00000002.1866202094.000000000343F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000D.00000002.1866202094.0000000003401000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Antivirus matches:
                                    • Detection: 82%, ReversingLabs
                                    • Detection: 81%, Virustotal, Browse
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:14
                                    Start time:02:02:02
                                    Start date:17/04/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjnB" /sc MINUTE /mo 10 /tr "'C:\Windows\SKB\LanguageModels\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /f
                                    Imagebase:0x7ff76f990000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:15
                                    Start time:02:02:02
                                    Start date:17/04/2024
                                    Path:C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Program Files (x86)\windows mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe"
                                    Imagebase:0x2d0000
                                    File size:1'261'056 bytes
                                    MD5 hash:49267A1E4C9CBB955209690E1D82D1D1
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000F.00000002.1865431873.0000000002511000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000F.00000002.1865431873.000000000254C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:16
                                    Start time:02:02:02
                                    Start date:17/04/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjn" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /rl HIGHEST /f
                                    Imagebase:0x7ff76f990000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:17
                                    Start time:02:02:02
                                    Start date:17/04/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjnB" /sc MINUTE /mo 6 /tr "'C:\Windows\SKB\LanguageModels\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /rl HIGHEST /f
                                    Imagebase:0x7ff76f990000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:18
                                    Start time:02:02:02
                                    Start date:17/04/2024
                                    Path:C:\Recovery\dwm.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Recovery\dwm.exe
                                    Imagebase:0xed0000
                                    File size:1'261'056 bytes
                                    MD5 hash:49267A1E4C9CBB955209690E1D82D1D1
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000012.00000002.1864892550.000000000336C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000012.00000002.1864892550.0000000003331000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Recovery\dwm.exe, Author: Joe Security
                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Recovery\dwm.exe, Author: Joe Security
                                    • Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Recovery\dwm.exe, Author: ditekSHen
                                    Antivirus matches:
                                    • Detection: 100%, Avira
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 82%, ReversingLabs
                                    • Detection: 81%, Virustotal, Browse
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:19
                                    Start time:02:02:02
                                    Start date:17/04/2024
                                    Path:C:\Recovery\dwm.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Recovery\dwm.exe
                                    Imagebase:0x5a0000
                                    File size:1'261'056 bytes
                                    MD5 hash:49267A1E4C9CBB955209690E1D82D1D1
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000013.00000002.1864451936.00000000029EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000013.00000002.1864451936.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:20
                                    Start time:02:02:02
                                    Start date:17/04/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjnB" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /f
                                    Imagebase:0x7ff76f990000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:21
                                    Start time:02:02:02
                                    Start date:17/04/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjn" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /rl HIGHEST /f
                                    Imagebase:0x7ff76f990000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:22
                                    Start time:02:02:02
                                    Start date:17/04/2024
                                    Path:C:\Recovery\services.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Recovery\services.exe
                                    Imagebase:0x570000
                                    File size:1'261'056 bytes
                                    MD5 hash:49267A1E4C9CBB955209690E1D82D1D1
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000016.00000002.1865521844.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Recovery\services.exe, Author: Joe Security
                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Recovery\services.exe, Author: Joe Security
                                    • Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Recovery\services.exe, Author: ditekSHen
                                    Antivirus matches:
                                    • Detection: 100%, Avira
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 82%, ReversingLabs
                                    • Detection: 81%, Virustotal, Browse
                                    Has exited:true

                                    General

                                    Target ID:23
                                    Start time:02:02:02
                                    Start date:17/04/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjnB" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /rl HIGHEST /f
                                    Imagebase:0x7ff76f990000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:24
                                    Start time:02:02:02
                                    Start date:17/04/2024
                                    Path:C:\Recovery\services.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Recovery\services.exe
                                    Imagebase:0x4d0000
                                    File size:1'261'056 bytes
                                    MD5 hash:49267A1E4C9CBB955209690E1D82D1D1
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000018.00000002.1864857934.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Has exited:true

                                    General

                                    Target ID:25
                                    Start time:02:02:02
                                    Start date:17/04/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "UserOOBEBrokerU" /sc MINUTE /mo 12 /tr "'C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe'" /f
                                    Imagebase:0x7ff76f990000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:26
                                    Start time:02:02:02
                                    Start date:17/04/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "UserOOBEBroker" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe'" /rl HIGHEST /f
                                    Imagebase:0x7ff76f990000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:27
                                    Start time:02:02:02
                                    Start date:17/04/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "UserOOBEBrokerU" /sc MINUTE /mo 14 /tr "'C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe'" /rl HIGHEST /f
                                    Imagebase:0x7ff76f990000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:28
                                    Start time:02:02:02
                                    Start date:17/04/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjnB" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /f
                                    Imagebase:0x7ff76f990000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:29
                                    Start time:02:02:03
                                    Start date:17/04/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjn" /sc ONLOGON /tr "'C:\Program Files (x86)\google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /rl HIGHEST /f
                                    Imagebase:0x7ff76f990000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:30
                                    Start time:02:02:03
                                    Start date:17/04/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjnB" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /rl HIGHEST /f
                                    Imagebase:0x7ff76f990000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:31
                                    Start time:02:02:03
                                    Start date:17/04/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Recovery\sihost.exe'" /f
                                    Imagebase:0x7ff76f990000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:32
                                    Start time:02:02:03
                                    Start date:17/04/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\sihost.exe'" /rl HIGHEST /f
                                    Imagebase:0x7ff76f990000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:33
                                    Start time:02:02:03
                                    Start date:17/04/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Recovery\sihost.exe'" /rl HIGHEST /f
                                    Imagebase:0x7ff76f990000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:35
                                    Start time:02:02:04
                                    Start date:17/04/2024
                                    Path:C:\Recovery\sihost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Recovery\sihost.exe
                                    Imagebase:0x10000
                                    File size:1'261'056 bytes
                                    MD5 hash:49267A1E4C9CBB955209690E1D82D1D1
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000023.00000002.1868252045.000000000235C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000023.00000002.1868252045.0000000002321000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Recovery\sihost.exe, Author: Joe Security
                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Recovery\sihost.exe, Author: Joe Security
                                    • Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Recovery\sihost.exe, Author: ditekSHen
                                    Antivirus matches:
                                    • Detection: 100%, Avira
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 82%, ReversingLabs
                                    • Detection: 81%, Virustotal, Browse
                                    Has exited:true

                                    General

                                    Target ID:36
                                    Start time:02:02:04
                                    Start date:17/04/2024
                                    Path:C:\Recovery\sihost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Recovery\sihost.exe
                                    Imagebase:0x310000
                                    File size:1'261'056 bytes
                                    MD5 hash:49267A1E4C9CBB955209690E1D82D1D1
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000024.00000002.1875796279.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Has exited:true

                                    General

                                    Target ID:37
                                    Start time:02:02:04
                                    Start date:17/04/2024
                                    Path:C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe
                                    Imagebase:0xeb0000
                                    File size:1'261'056 bytes
                                    MD5 hash:49267A1E4C9CBB955209690E1D82D1D1
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000025.00000002.1874198881.0000000003081000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe, Author: Joe Security
                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe, Author: Joe Security
                                    • Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe, Author: ditekSHen
                                    Antivirus matches:
                                    • Detection: 82%, ReversingLabs
                                    • Detection: 81%, Virustotal, Browse
                                    Has exited:true

                                    General

                                    Target ID:38
                                    Start time:02:02:05
                                    Start date:17/04/2024
                                    Path:C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe
                                    Imagebase:0x770000
                                    File size:1'261'056 bytes
                                    MD5 hash:49267A1E4C9CBB955209690E1D82D1D1
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000026.00000002.1872612661.0000000002C0C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000026.00000002.1872612661.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Has exited:true

                                    General

                                    Target ID:39
                                    Start time:02:02:09
                                    Start date:17/04/2024
                                    Path:C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe"
                                    Imagebase:0x270000
                                    File size:1'261'056 bytes
                                    MD5 hash:49267A1E4C9CBB955209690E1D82D1D1
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000027.00000002.1901322545.0000000002501000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:15.9%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:47
                                      Total number of Limit Nodes:3
                                      execution_graph 11276 7ffd9b87bec0 11277 7ffd9b87bea4 BeginUpdateResourceW 11276->11277 11279 7ffd9b8ae080 11277->11279 11214 7ffd9b87c328 11215 7ffd9b8a9460 11214->11215 11220 7ffd9b87bd30 11215->11220 11217 7ffd9b8a956e 11225 7ffd9b87bfa0 11217->11225 11219 7ffd9b8a957d 11220->11217 11221 7ffd9b8a9730 11220->11221 11222 7ffd9b8a974e 11221->11222 11238 7ffd9b87be80 11221->11238 11222->11217 11224 7ffd9b8a9761 11224->11217 11225->11219 11226 7ffd9b8a9890 11225->11226 11227 7ffd9b8a9932 11226->11227 11229 7ffd9b8a994e 11226->11229 11231 7ffd9b8a9928 11226->11231 11234 7ffd9b8a98d6 11226->11234 11242 7ffd9b87be50 11226->11242 11227->11219 11246 7ffd9b87bd48 11227->11246 11256 7ffd9b8a996d 11229->11256 11230 7ffd9b8a997f 11232 7ffd9b8a999a 11230->11232 11260 7ffd9b87be60 11230->11260 11231->11227 11231->11230 11232->11219 11234->11219 11239 7ffd9b87be89 BeginUpdateResourceW 11238->11239 11241 7ffd9b8ae080 11239->11241 11241->11224 11243 7ffd9b87be53 BeginUpdateResourceW 11242->11243 11245 7ffd9b8ae080 11243->11245 11245->11231 11246->11229 11247 7ffd9b8a9fa0 11246->11247 11255 7ffd9b8aa038 11247->11255 11264 7ffd9b87be70 11247->11264 11252 7ffd9b87be80 BeginUpdateResourceW 11253 7ffd9b8aa018 11252->11253 11253->11255 11272 7ffd9b87bea0 11253->11272 11255->11229 11257 7ffd9b8a997f 11256->11257 11258 7ffd9b8a9957 11257->11258 11259 7ffd9b87be60 BeginUpdateResourceW 11257->11259 11258->11219 11259->11258 11261 7ffd9b87be53 BeginUpdateResourceW 11260->11261 11263 7ffd9b8ae080 11261->11263 11263->11232 11265 7ffd9b87be53 11264->11265 11265->11264 11266 7ffd9b8ae005 BeginUpdateResourceW 11265->11266 11267 7ffd9b8a9fe6 11266->11267 11267->11255 11268 7ffd9b87be90 11267->11268 11269 7ffd9b87be99 BeginUpdateResourceW 11268->11269 11271 7ffd9b8aa002 11269->11271 11271->11252 11271->11255 11273 7ffd9b87bea9 BeginUpdateResourceW 11272->11273 11275 7ffd9b8ae080 11273->11275 11275->11255

                                      Executed Functions

                                      Function 00007FFD9B8790B4 Relevance: 3.7, Strings: 2, Instructions: 1185COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 59 7ffd9b8790b4-7ffd9b8791b6 call 7ffd9b877380 68 7ffd9b87a0b4-7ffd9b87a0c1 59->68 69 7ffd9b8791bb-7ffd9b879210 call 7ffd9b877390 68->69 70 7ffd9b87a0c7-7ffd9b87a12c call 7ffd9b87a24e 68->70 79 7ffd9b879212 69->79 80 7ffd9b879217-7ffd9b879309 69->80 79->80 89 7ffd9b87a094-7ffd9b87a0a1 80->89 90 7ffd9b87930e-7ffd9b87931c 89->90 91 7ffd9b87a0a7-7ffd9b87a0b1 89->91 92 7ffd9b879323-7ffd9b879358 90->92 93 7ffd9b87931e 90->93 91->68 96 7ffd9b879360-7ffd9b879388 call 7ffd9b870ea0 92->96 97 7ffd9b87935a-7ffd9b87935b 92->97 93->92 101 7ffd9b87938a-7ffd9b879391 96->101 102 7ffd9b8793f9-7ffd9b879400 96->102 98 7ffd9b87a08c-7ffd9b87a091 97->98 98->89 105 7ffd9b879393-7ffd9b87939a 101->105 106 7ffd9b8793c6-7ffd9b8793cd 101->106 103 7ffd9b879402-7ffd9b879409 102->103 104 7ffd9b879431-7ffd9b879438 102->104 107 7ffd9b879464-7ffd9b87948c 103->107 108 7ffd9b87940b-7ffd9b879415 103->108 111 7ffd9b87943e-7ffd9b879448 104->111 112 7ffd9b879e2b-7ffd9b879ea5 104->112 109 7ffd9b879530-7ffd9b87954c 105->109 110 7ffd9b8793a0-7ffd9b8793aa 105->110 113 7ffd9b8793d3-7ffd9b8793dd 106->113 114 7ffd9b8799b8-7ffd9b879ac5 call 7ffd9b876c10 106->114 115 7ffd9b8794f4-7ffd9b87951e 107->115 116 7ffd9b87948e-7ffd9b8794db 107->116 127 7ffd9b87941b-7ffd9b879425 108->127 128 7ffd9b879eaa-7ffd9b879f24 108->128 123 7ffd9b87954e-7ffd9b879637 call 7ffd9b876c10 109->123 124 7ffd9b8794dd-7ffd9b8794ee 109->124 130 7ffd9b8793b0-7ffd9b8793ba 110->130 131 7ffd9b879f29-7ffd9b879f3c 110->131 132 7ffd9b87944e-7ffd9b879458 111->132 133 7ffd9b879dac-7ffd9b879e26 111->133 173 7ffd9b87a08b 112->173 134 7ffd9b8793e3-7ffd9b8793ed 113->134 135 7ffd9b879bc8-7ffd9b879bdb 113->135 114->173 185 7ffd9b879529-7ffd9b87952b 115->185 116->124 245 7ffd9b87977e-7ffd9b87983a 123->245 246 7ffd9b87963d-7ffd9b87966e 123->246 124->115 162 7ffd9b87942b-7ffd9b87942c 127->162 163 7ffd9b879aca-7ffd9b879b44 127->163 128->173 155 7ffd9b8793c0-7ffd9b8793c1 130->155 156 7ffd9b879b49-7ffd9b879bc3 130->156 137 7ffd9b879f42-7ffd9b879f6b 131->137 138 7ffd9b87a00d-7ffd9b87a087 131->138 164 7ffd9b879853-7ffd9b879866 132->164 165 7ffd9b87945e-7ffd9b87945f 132->165 133->173 159 7ffd9b8793f3-7ffd9b8793f4 134->159 160 7ffd9b879d2d-7ffd9b879da7 134->160 140 7ffd9b879be1-7ffd9b879c0a 135->140 141 7ffd9b879cac-7ffd9b879d26 135->141 149 7ffd9b879fd3-7ffd9b87a00b 137->149 150 7ffd9b879f6d-7ffd9b879f8f 137->150 217 7ffd9b87a088-7ffd9b87a089 138->217 151 7ffd9b879c72-7ffd9b879caa 140->151 152 7ffd9b879c0c-7ffd9b879c30 140->152 223 7ffd9b879d27-7ffd9b879d28 141->223 149->217 150->149 151->223 152->151 155->173 156->173 159->173 160->173 162->173 163->173 169 7ffd9b87986c-7ffd9b879895 164->169 170 7ffd9b879937-7ffd9b8799b1 164->170 165->173 182 7ffd9b8798fd-7ffd9b879935 169->182 183 7ffd9b879897-7ffd9b8798f7 169->183 233 7ffd9b8799b2-7ffd9b8799b3 170->233 173->98 182->233 183->182 185->173 217->173 223->173 233->173 260 7ffd9b879841-7ffd9b87984e 245->260 253 7ffd9b879670 246->253 254 7ffd9b8796df-7ffd9b8796e8 246->254 253->254 254->245 260->173
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1856295226.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b870000_Mt6QkZnVbc.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: #P_H$+P_H
                                      • API String ID: 0-1412386595
                                      • Opcode ID: 2fa84e6b5c0442983e0ec9d65f655055bd12c5e2ebbf723315a870c1a61144d8
                                      • Instruction ID: e428b3369281d60a2bcb89d400db556807374d69d9a46aa5af7e3942cfcf8a02
                                      • Opcode Fuzzy Hash: 2fa84e6b5c0442983e0ec9d65f655055bd12c5e2ebbf723315a870c1a61144d8
                                      • Instruction Fuzzy Hash: 98A2DB30A1991D8FDBA9EB58C8A9BA8B3F1FF58304F5145E5D01DD72A5CA34AE81CF40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B870F80 Relevance: 1.1, Instructions: 1147COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 455 7ffd9b870f80-7ffd9b87394e 457 7ffd9b873950 455->457 458 7ffd9b873955-7ffd9b8739b6 455->458 457->458 462 7ffd9b8739bc-7ffd9b8739e2 458->462 463 7ffd9b873d25-7ffd9b873d49 458->463 468 7ffd9b8739e4-7ffd9b8739f4 462->468 469 7ffd9b8739f9-7ffd9b873a67 462->469 466 7ffd9b873db1-7ffd9b873e11 463->466 467 7ffd9b873d4b-7ffd9b873dac 463->467 479 7ffd9b873e13-7ffd9b873e77 466->479 480 7ffd9b873e7c-7ffd9b873ea6 466->480 471 7ffd9b874d07-7ffd9b874d15 467->471 468->471 469->463 479->471 483 7ffd9b873eb8-7ffd9b873ee6 480->483 484 7ffd9b873ea8-7ffd9b873eb3 480->484 488 7ffd9b873f9d-7ffd9b873fc1 483->488 489 7ffd9b873eec-7ffd9b873f17 483->489 484->471 492 7ffd9b8741ee-7ffd9b874213 488->492 493 7ffd9b873fc7-7ffd9b87400e 488->493 494 7ffd9b873f70-7ffd9b873f98 489->494 495 7ffd9b873f19-7ffd9b873f6d 489->495 500 7ffd9b874284-7ffd9b874286 492->500 501 7ffd9b874215-7ffd9b874221 492->501 507 7ffd9b874060 493->507 508 7ffd9b874010-7ffd9b87405e 493->508 494->471 495->494 504 7ffd9b87428c-7ffd9b874298 500->504 502 7ffd9b874223-7ffd9b87423d 501->502 506 7ffd9b874299 502->506 518 7ffd9b87423f-7ffd9b874282 502->518 504->506 506->502 511 7ffd9b87429b-7ffd9b87429c 506->511 510 7ffd9b87406a-7ffd9b87407a 507->510 508->510 514 7ffd9b87408b-7ffd9b8740f8 call 7ffd9b870f78 510->514 515 7ffd9b87407c-7ffd9b874086 510->515 516 7ffd9b87429d-7ffd9b8742cc 511->516 517 7ffd9b8745e6-7ffd9b87460b 511->517 543 7ffd9b87416a-7ffd9b8741a0 514->543 515->471 524 7ffd9b8742d3-7ffd9b8742fd 516->524 525 7ffd9b8742ce 516->525 527 7ffd9b87460d-7ffd9b87467a 517->527 528 7ffd9b87467c-7ffd9b87467e 517->528 518->504 537 7ffd9b87434f 524->537 538 7ffd9b8742ff-7ffd9b87434d 524->538 525->524 529 7ffd9b874684-7ffd9b87469a 527->529 528->529 531 7ffd9b8746a0-7ffd9b8746d9 529->531 532 7ffd9b874bb9-7ffd9b874c1f 529->532 545 7ffd9b8746e0-7ffd9b8746ff 531->545 546 7ffd9b8746db 531->546 563 7ffd9b874c21-7ffd9b874c26 call 7ffd9b870f88 532->563 564 7ffd9b874c46-7ffd9b874c63 532->564 542 7ffd9b874359-7ffd9b874369 537->542 538->542 548 7ffd9b87436b-7ffd9b874375 542->548 549 7ffd9b87437a-7ffd9b8743c9 call 7ffd9b870f78 542->549 557 7ffd9b8740fa-7ffd9b874167 call 7ffd9b870f80 543->557 558 7ffd9b8741a6-7ffd9b8741e9 543->558 552 7ffd9b874701 545->552 553 7ffd9b874706-7ffd9b87477f 545->553 546->545 548->471 552->553 579 7ffd9b874781-7ffd9b87478b 553->579 580 7ffd9b874790-7ffd9b8747ad 553->580 557->543 558->471 571 7ffd9b874c2b-7ffd9b874c41 563->571 576 7ffd9b874cb5-7ffd9b874cb7 564->576 577 7ffd9b874c65-7ffd9b874cb3 564->577 571->471 581 7ffd9b874cbd-7ffd9b874cd3 576->581 577->581 579->471 590 7ffd9b8747ff 580->590 591 7ffd9b8747af-7ffd9b8747fd 580->591 584 7ffd9b874cfb-7ffd9b874d05 581->584 585 7ffd9b874cd5-7ffd9b874cf9 call 7ffd9b870f98 581->585 584->471 585->471 593 7ffd9b874809-7ffd9b87481f 590->593 591->593 595 7ffd9b874821-7ffd9b87482b 593->595 596 7ffd9b874830-7ffd9b874891 call 7ffd9b870f78 593->596 595->471 601 7ffd9b874893-7ffd9b87489d 596->601 602 7ffd9b8748a2-7ffd9b8749f6 596->602 601->471 616 7ffd9b874b60-7ffd9b874b9f 602->616 618 7ffd9b8749fb-7ffd9b874a45 616->618 619 7ffd9b874ba5-7ffd9b874bb4 616->619 622 7ffd9b874a4d-7ffd9b874b50 call 7ffd9b870f80 618->622 623 7ffd9b874a47-7ffd9b874a48 618->623 619->471 624 7ffd9b874b51-7ffd9b874b5a 622->624 623->624 624->616
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1856295226.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b870000_Mt6QkZnVbc.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a7dfd057d3fe889abcba3ce8dc4809c497cf02aeacb3fbe23be24a2ab5a073f2
                                      • Instruction ID: 36d6d2b8202064ae7a8ce4fb239041f301cf2b64d703dfcbca77e03f85d19e9b
                                      • Opcode Fuzzy Hash: a7dfd057d3fe889abcba3ce8dc4809c497cf02aeacb3fbe23be24a2ab5a073f2
                                      • Instruction Fuzzy Hash: BBA2C770E1962D8FDBA8DF18C8A5BA9B7B1FF58305F5401EAD01DE7291DA346A81CF40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B88309D Relevance: .6, Instructions: 575COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 633 7ffd9b88309d-7ffd9b8830ba 636 7ffd9b8830c5-7ffd9b8830f7 633->636 641 7ffd9b8830fd-7ffd9b883102 636->641 642 7ffd9b883227-7ffd9b883244 636->642 643 7ffd9b88349d-7ffd9b8834a0 641->643 644 7ffd9b883551-7ffd9b88361e 642->644 645 7ffd9b88324a-7ffd9b88324f 642->645 650 7ffd9b88350e-7ffd9b883528 643->650 672 7ffd9b8835ad-7ffd9b883623 644->672 673 7ffd9b883629-7ffd9b883668 644->673 646 7ffd9b883252-7ffd9b883259 645->646 647 7ffd9b8831dc-7ffd9b8831eb 646->647 648 7ffd9b88325b-7ffd9b88325f 646->648 647->642 654 7ffd9b883538-7ffd9b883549 647->654 651 7ffd9b882ff1-7ffd9b883033 648->651 652 7ffd9b883265 648->652 668 7ffd9b883048 651->668 669 7ffd9b883035-7ffd9b88303b 651->669 655 7ffd9b8832e3-7ffd9b8832e6 652->655 654->644 657 7ffd9b8832e9-7ffd9b8832f0 655->657 659 7ffd9b883267-7ffd9b88329c call 7ffd9b880b08 657->659 660 7ffd9b8832f6 657->660 659->644 674 7ffd9b8832a2-7ffd9b8832b2 659->674 666 7ffd9b883366-7ffd9b88336d 660->666 670 7ffd9b88336f-7ffd9b8833b5 666->670 671 7ffd9b8832f8-7ffd9b88332a call 7ffd9b880b08 666->671 675 7ffd9b883457-7ffd9b88346f 668->675 669->675 713 7ffd9b883184-7ffd9b883188 670->713 714 7ffd9b8833bb-7ffd9b8833c0 670->714 671->644 686 7ffd9b883330-7ffd9b883358 671->686 672->673 687 7ffd9b8835cd-7ffd9b883625 672->687 691 7ffd9b88366f-7ffd9b883671 673->691 692 7ffd9b88366a call 7ffd9b882280 673->692 674->651 679 7ffd9b8832b8-7ffd9b8832d5 674->679 679->644 683 7ffd9b8832db-7ffd9b8832e0 679->683 683->655 686->644 689 7ffd9b88335e-7ffd9b883363 686->689 687->673 700 7ffd9b8835f0-7ffd9b883627 687->700 689->666 695 7ffd9b883751-7ffd9b883765 call 7ffd9b882280 691->695 696 7ffd9b883677-7ffd9b88367b 691->696 692->691 703 7ffd9b8837cf-7ffd9b8837e5 695->703 704 7ffd9b883767-7ffd9b883772 695->704 697 7ffd9b88379e 696->697 697->697 700->673 707 7ffd9b88360a-7ffd9b88361d 700->707 716 7ffd9b8837e9-7ffd9b883839 703->716 717 7ffd9b8837e7 703->717 708 7ffd9b883774-7ffd9b88377d 704->708 709 7ffd9b88378e-7ffd9b88379d 704->709 708->709 711 7ffd9b88377f-7ffd9b8837ce call 7ffd9b8823b0 708->711 709->697 721 7ffd9b8831da 713->721 722 7ffd9b88318a-7ffd9b8831a7 713->722 720 7ffd9b883446-7ffd9b88344a 714->720 718 7ffd9b883829-7ffd9b883874 call 7ffd9b882c70 716->718 717->716 717->718 724 7ffd9b883450-7ffd9b883456 720->724 725 7ffd9b8833c5-7ffd9b8833f4 call 7ffd9b880b08 720->725 721->646 722->650 725->644 736 7ffd9b8833fa-7ffd9b88340a 725->736 738 7ffd9b883051-7ffd9b883492 736->738 739 7ffd9b883410-7ffd9b88341f 736->739 738->643 739->644 742 7ffd9b883425-7ffd9b883438 739->742 742->657 744 7ffd9b88343e-7ffd9b883443 742->744 744->720
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1856295226.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b870000_Mt6QkZnVbc.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a46b8abe52e3a7129d7812e9b876f043d136c56a935ec261686b9008f73c6948
                                      • Instruction ID: 23a2660f892562f263ff0ccf5a84b6915d519445cc05872341f19936f52e963a
                                      • Opcode Fuzzy Hash: a46b8abe52e3a7129d7812e9b876f043d136c56a935ec261686b9008f73c6948
                                      • Instruction Fuzzy Hash: F7128130F0994E8FDB6CDB989470AB877A1FF59304F1541BEE46ED7292DE386A418B40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B87BEC0 Relevance: 1.7, APIs: 1, Instructions: 242COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 262 7ffd9b87bec0-7ffd9b87bec1 263 7ffd9b87bec5-7ffd9b87bed2 262->263 265 7ffd9b87bea4-7ffd9b87bebb 263->265 266 7ffd9b87bed4-7ffd9b87bef2 263->266 270 7ffd9b8adf60-7ffd9b8adfe9 265->270 266->263 271 7ffd9b87bef4-7ffd9b87bf51 266->271 276 7ffd9b8ae005-7ffd9b8ae07e BeginUpdateResourceW 270->276 277 7ffd9b8adfeb-7ffd9b8ae002 270->277 271->270 279 7ffd9b8ae086-7ffd9b8ae0e0 276->279 280 7ffd9b8ae080 276->280 277->276 280->279
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1856295226.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b870000_Mt6QkZnVbc.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ff4c8383e7a8f9774619a57708a148ba3f3a2d28675bd3cc4efe9656557d2bcb
                                      • Instruction ID: 08af8702739b7a2979dc68afa3708050136de2b5610593fee36df6627a79062d
                                      • Opcode Fuzzy Hash: ff4c8383e7a8f9774619a57708a148ba3f3a2d28675bd3cc4efe9656557d2bcb
                                      • Instruction Fuzzy Hash: 9C71E130A0D65D8FDB64EFA8D895BE9BBF0FF55310F0081AAC04CC7296DA349986CB41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B87BE70 Relevance: 1.7, APIs: 1, Instructions: 216COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1856295226.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b870000_Mt6QkZnVbc.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0e3d2450e1500e061cd309c440de29a8e6da6390bc737409fc11292613ef2b5f
                                      • Instruction ID: 340c58622dcc8598ff3b90b9779dbec484038db117711b6d12a11a195e632f95
                                      • Opcode Fuzzy Hash: 0e3d2450e1500e061cd309c440de29a8e6da6390bc737409fc11292613ef2b5f
                                      • Instruction Fuzzy Hash: DC61B270A0D65D8FDBA4DF98C895BA9BBF1FF59310F1481AAC04CD3296DA34A985CB40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B87BE90 Relevance: 1.7, APIs: 1, Instructions: 184COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 306 7ffd9b87be90-7ffd9b8adfe9 313 7ffd9b8ae005-7ffd9b8ae07e BeginUpdateResourceW 306->313 314 7ffd9b8adfeb-7ffd9b8ae002 306->314 315 7ffd9b8ae086-7ffd9b8ae0e0 313->315 316 7ffd9b8ae080 313->316 314->313 316->315
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1856295226.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b870000_Mt6QkZnVbc.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 990c6f873c67973fd9e91d5360bd555961009955cff3c81aa28ccaea77e9d49a
                                      • Instruction ID: c608569feef2f2ad78e10e9aebe90d9d1cff0c5c2e22c44f3c774516ca4deff9
                                      • Opcode Fuzzy Hash: 990c6f873c67973fd9e91d5360bd555961009955cff3c81aa28ccaea77e9d49a
                                      • Instruction Fuzzy Hash: 86514F70A08A1D8FDBA8DF98D884BE9B7F1FF59311F1081AAD04DD3255DB749985CB40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B87BEA0 Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 319 7ffd9b87bea0-7ffd9b8adfe9 324 7ffd9b8ae005-7ffd9b8ae07e BeginUpdateResourceW 319->324 325 7ffd9b8adfeb-7ffd9b8ae002 319->325 326 7ffd9b8ae086-7ffd9b8ae0e0 324->326 327 7ffd9b8ae080 324->327 325->324 327->326
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1856295226.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b870000_Mt6QkZnVbc.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6074f115e4346dd0ba1a07a0c58358165960bbe3443de6e013acc216e2ae6762
                                      • Instruction ID: 16ce81f76a6237b50760d6f3a2d5087ec779a6bca25243bbd56a09cac8b781ba
                                      • Opcode Fuzzy Hash: 6074f115e4346dd0ba1a07a0c58358165960bbe3443de6e013acc216e2ae6762
                                      • Instruction Fuzzy Hash: FB513C70A08A1D8FDBA8DF98D888BE9B7F1FB59311F1081AAD00DD3255DB74A985CF40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Executed Functions

                                      Function 00007FFD9B8B0F88 Relevance: .6, Instructions: 614COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1881371494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9b8b0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 47c8f5928369366ceeb15c233a6104a26a0a331fd35c3d046ef6e4962c1922dd
                                      • Instruction ID: 4c804ae222e233dc30b43836381bb68fa262f555378f3f34d163e9d85faf41a1
                                      • Opcode Fuzzy Hash: 47c8f5928369366ceeb15c233a6104a26a0a331fd35c3d046ef6e4962c1922dd
                                      • Instruction Fuzzy Hash: C642D670E1962D8FDBA8DF68C8A0BEDB7B1FF58305F5041A9D00DA7295DA346A81CF40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B06E0 Relevance: 6.5, Strings: 5, Instructions: 237COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1881371494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9b8b0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: =L_^$?L_I$L_^X$L_^f$L_^g
                                      • API String ID: 0-1339829850
                                      • Opcode ID: 9a8c7147762f154b0f1bef1595d31b74240f4398718eac8caf9ba445a68f0ca9
                                      • Instruction ID: bc0888d5ba8324f31a1f386a3b73ac00e62261bbd0a98c2e20fd0246eeb161f2
                                      • Opcode Fuzzy Hash: 9a8c7147762f154b0f1bef1595d31b74240f4398718eac8caf9ba445a68f0ca9
                                      • Instruction Fuzzy Hash: 1761CBA3B1F6995BE76657ED6C250FC7BA0FF85660B0402F7E058860F7EC156A028BC1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B0F98 Relevance: 1.6, Strings: 1, Instructions: 371COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1881371494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9b8b0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: &
                                      • API String ID: 0-2822232526
                                      • Opcode ID: 76d9ac1c16db77e3aa22d69bdc14ca1e0672cba507ca3cfb99f2904883ea5080
                                      • Instruction ID: 84859d73abde7c9462a48fa904c0a98b7d070a0c782e65d41580b61b46ca38a1
                                      • Opcode Fuzzy Hash: 76d9ac1c16db77e3aa22d69bdc14ca1e0672cba507ca3cfb99f2904883ea5080
                                      • Instruction Fuzzy Hash: 7FD13D71E1965D8FDBACDB68D864BA8B7B1FF58300F4441BAD00DE32A6DA346981CF41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B04F8 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1881371494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9b8b0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ?L_^
                                      • API String ID: 0-1098677799
                                      • Opcode ID: 039091645b6a6c88896c9be0a40d3117758e8fa73b970abb7ef237f58c20a062
                                      • Instruction ID: d17e4623dfc08d415a551a0699b3af363519e18d4aa47aca55ec7d940e73da13
                                      • Opcode Fuzzy Hash: 039091645b6a6c88896c9be0a40d3117758e8fa73b970abb7ef237f58c20a062
                                      • Instruction Fuzzy Hash: C601D231A0926E8FC756EF7898615FA37A0EF05308F04017AE05CCA093EE29A551CB85
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B7C89 Relevance: .3, Instructions: 334COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1881371494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9b8b0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 852db35bf5706b0e1bfd112ce6122820c46680b2f5bdcce470e2300488a7462f
                                      • Instruction ID: d6ba5aa5bf007ae8c097c25d16da9fd8b89276596476bb0637d6fc0166a6471d
                                      • Opcode Fuzzy Hash: 852db35bf5706b0e1bfd112ce6122820c46680b2f5bdcce470e2300488a7462f
                                      • Instruction Fuzzy Hash: 1EC16D74A0A62D8FDBA4DBA884957ED7BF1FF58305F518179D00DD3295CA38A982CF80
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B3239 Relevance: .3, Instructions: 310COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1881371494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9b8b0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 29c89cb2ffc3e84907132b7396a44cea87cbfbe21b063bee08ddaa98eaa7a9ea
                                      • Instruction ID: 1496574f99fbb3859239e007039bf3ede0454998d4fa3cbb52cdf8e00787404c
                                      • Opcode Fuzzy Hash: 29c89cb2ffc3e84907132b7396a44cea87cbfbe21b063bee08ddaa98eaa7a9ea
                                      • Instruction Fuzzy Hash: 48B14C71E1965D8FDBACDB68D865BA8B7A1FF58300F4401BAD00DE72A2DE346980CF41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B05D8 Relevance: .3, Instructions: 279COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1881371494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9b8b0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2d16e1c597176771dd4a4588cf72b1e89ab04c27491d11949e552a9282bd7e70
                                      • Instruction ID: 3176330d198d522b645d8910a7aaaeb3a6e094c00f103e914a0789bf6a052952
                                      • Opcode Fuzzy Hash: 2d16e1c597176771dd4a4588cf72b1e89ab04c27491d11949e552a9282bd7e70
                                      • Instruction Fuzzy Hash: F781F331B1DA594FDB6CEF6888605B977E2FF98300B15017EE45DC72A6DE34E9028B81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B6163 Relevance: .2, Instructions: 200COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1881371494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9b8b0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 328d2cfbd12fdc3d266d121a23ab29e897f6e843c2b3009e9a9e4b22b7ec8136
                                      • Instruction ID: 4a4699ff26b727c74f3abc9ec82d8b2e5ca1e7b2dae6abb9ab5ed88b56eabe89
                                      • Opcode Fuzzy Hash: 328d2cfbd12fdc3d266d121a23ab29e897f6e843c2b3009e9a9e4b22b7ec8136
                                      • Instruction Fuzzy Hash: 4471A570E1891D8FEB94EFA8C865BEDB7B1FF58300F5041AAD41DE3295DA3469818F40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B129D Relevance: .2, Instructions: 184COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1881371494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9b8b0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5dd92693221a073283b2d61710f07eed08412044995a1e467eb7920534bc9c27
                                      • Instruction ID: c8001802767fb14d05c6cdab4575cda95df31ed3646d21f0893adaf8168d6a34
                                      • Opcode Fuzzy Hash: 5dd92693221a073283b2d61710f07eed08412044995a1e467eb7920534bc9c27
                                      • Instruction Fuzzy Hash: DF510131B18A594FDB58DF2888645BA77E2FF98300B15417ED45EC7291DE34E9028B81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B2CD9 Relevance: .2, Instructions: 167COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1881371494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9b8b0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b7d13ea0c830fe39205eba0dc1d1c1d5c71d3a09a2e9c1aea42f71ba756e2a74
                                      • Instruction ID: 0435336c1b55a788e07058423d8bf87a7a11de9d93f48d98abd4e7085ae8f7a6
                                      • Opcode Fuzzy Hash: b7d13ea0c830fe39205eba0dc1d1c1d5c71d3a09a2e9c1aea42f71ba756e2a74
                                      • Instruction Fuzzy Hash: 50515271E0995D8FDF95EFA8D455AECBBB1FF59300F45016AD00DE7292CB24A941CB40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B238D Relevance: .2, Instructions: 157COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1881371494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9b8b0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9ed0fb9cbb47389790a833d0c8b2930bd07c375f50b05499a1ba9f1999fde6de
                                      • Instruction ID: cc30253d9387d9c09842128e17c76baf9746136e4247b7f6ca66198c970a88d8
                                      • Opcode Fuzzy Hash: 9ed0fb9cbb47389790a833d0c8b2930bd07c375f50b05499a1ba9f1999fde6de
                                      • Instruction Fuzzy Hash: 0051F961A0E6AD4FE7A19BB89C657A87FA0EF49300F0501F7D08CC71E7DD246A85CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B1828 Relevance: .1, Instructions: 116COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1881371494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9b8b0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 69587771db352ff09593235a20431932a3612a4e60a7ea35c498a2f8294ca80f
                                      • Instruction ID: 47797f8067ae6efb334f0fd2e4b93d4719f8950736f49bdd632c22ec5c4a6701
                                      • Opcode Fuzzy Hash: 69587771db352ff09593235a20431932a3612a4e60a7ea35c498a2f8294ca80f
                                      • Instruction Fuzzy Hash: 0E319531E2E62E8AE774BB6084217F9B2A1FF4A300F410279D05D961E5CF396A45CFC0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B1CA9 Relevance: .1, Instructions: 109COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1881371494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9b8b0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0a51352056086ae4da8d8b03e57c1084ae8e5a53835f5723b1dbd7f2c1fcd3af
                                      • Instruction ID: 559e58cb0b4e0e512be95486cf0d75752017db9442cf3ee47a5c32c1fac18747
                                      • Opcode Fuzzy Hash: 0a51352056086ae4da8d8b03e57c1084ae8e5a53835f5723b1dbd7f2c1fcd3af
                                      • Instruction Fuzzy Hash: A1415035E1991D8FDB54EBA8C864AECBBF1FF58301F4501B9D009E72A1DB34A945CB40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B5FDD Relevance: .1, Instructions: 105COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1881371494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9b8b0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d6d70f9dd024b61ee59b5ce404232c27b0c9b487a84685aa3d96ab5da0c09a58
                                      • Instruction ID: c8cfbfeaaab26423c9162a78f4e29a424c9bac97c8923a16ffc51545fdaa2338
                                      • Opcode Fuzzy Hash: d6d70f9dd024b61ee59b5ce404232c27b0c9b487a84685aa3d96ab5da0c09a58
                                      • Instruction Fuzzy Hash: 7E416B70E1865D8FDB84EFA8D865AEDBBF1FF48310F45017AE008E3296DA346841CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B64E9 Relevance: .1, Instructions: 105COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1881371494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9b8b0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 45e16f85ced96a6e710308b996d54ffdcd2fbe107f060f9d87b6cd357ba97871
                                      • Instruction ID: 221f60697e2508e179718c8b2f50b82131231d1ce6f4f389df742cebb6adffba
                                      • Opcode Fuzzy Hash: 45e16f85ced96a6e710308b996d54ffdcd2fbe107f060f9d87b6cd357ba97871
                                      • Instruction Fuzzy Hash: 3B418F70E096598FDB55EFA4C865AEDBBB1FF49300F5101BAD009D7296CB389981CF41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B83F5 Relevance: .1, Instructions: 102COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1881371494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9b8b0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9a78dba29b35b32afbf2c7d312c95db9ba199fbcd5a34ede8d62d4afa77c43f2
                                      • Instruction ID: 6eb79b0f14709e6e6740b8dd418d787cd4e42f5cb37f3f397ee5ee930880a2be
                                      • Opcode Fuzzy Hash: 9a78dba29b35b32afbf2c7d312c95db9ba199fbcd5a34ede8d62d4afa77c43f2
                                      • Instruction Fuzzy Hash: 9C315A31E0962E8FDB68DFA4D4646FEB7B1EF48305F01017AE019A32D5CA385A41CF91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B5A29 Relevance: .1, Instructions: 100COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1881371494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9b8b0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5d97ad5a57aaeb2c93284b0874bc3831d7e2fcbab41203ef7e9a158123915718
                                      • Instruction ID: a64f65ea2db8282278c559f56b72958e91edaacd59c7fe53f49f7454a22b6b8f
                                      • Opcode Fuzzy Hash: 5d97ad5a57aaeb2c93284b0874bc3831d7e2fcbab41203ef7e9a158123915718
                                      • Instruction Fuzzy Hash: 20314B71A0991D8FDB94EFACD4A5AADB7F1FF98304F10012AE01DD3295CA35A8428B80
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B5931 Relevance: .1, Instructions: 98COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1881371494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9b8b0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4f995ff7d1bf33fb6921b80683c7e8e6e34b01c9b669a35bd95e69373d155d9e
                                      • Instruction ID: ec15e65ab772f0a1b79415c2f83170261f8d088b69577c80d2355bc65d352a0a
                                      • Opcode Fuzzy Hash: 4f995ff7d1bf33fb6921b80683c7e8e6e34b01c9b669a35bd95e69373d155d9e
                                      • Instruction Fuzzy Hash: C531463060F6DE4FE7A29B74C824AE47FB1EF4A314F0904EED089DB197C9285845C742
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B2BC9 Relevance: .1, Instructions: 91COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1881371494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9b8b0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4e9353aab883391faa8be4dab00d428b8f0bc676a62413e0ccea74ef618f60b6
                                      • Instruction ID: 864fcf00c28dc23d0cc293379bad6f40c36ffa5d3d0cdce6108f859213494ce0
                                      • Opcode Fuzzy Hash: 4e9353aab883391faa8be4dab00d428b8f0bc676a62413e0ccea74ef618f60b6
                                      • Instruction Fuzzy Hash: 08312A70E0A65E8FDB55DFA8D8606EDBBB1FF49301F10057AE019E3291DB389941CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B186A Relevance: .1, Instructions: 64COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1881371494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9b8b0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2a6fb3c5649b606b330c900cd77f4b24bf22f1e02abb9e3214d2270da3637f01
                                      • Instruction ID: 8e0d3ae39bf9f6917242d1d60ce307d9a6d9f4757655d93736b3dc51566a1da7
                                      • Opcode Fuzzy Hash: 2a6fb3c5649b606b330c900cd77f4b24bf22f1e02abb9e3214d2270da3637f01
                                      • Instruction Fuzzy Hash: C411FC31E2A52D8ED769EB60D4657FCB271FF06301F4110B9D04DA62A6CE356E44CF80
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B1E4D Relevance: .0, Instructions: 49COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1881371494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9b8b0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7b637567b654b64d4aa4b857228201ce00f7c845af1429197b299690ca108478
                                      • Instruction ID: cd88c740ed48df1662f87082b8fa165a23007f0de892266ac44f26c1fc8a8360
                                      • Opcode Fuzzy Hash: 7b637567b654b64d4aa4b857228201ce00f7c845af1429197b299690ca108478
                                      • Instruction Fuzzy Hash: B7018E70E1A65D8EE755EFA888696ECBBA0FF08300F4545BAD418C71E2DA3465408B41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B08B1 Relevance: .0, Instructions: 42COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1881371494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9b8b0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0938f703f33466f9acef216b9335600b7b9bb6db91dd205e2d2ff6f55878e6e7
                                      • Instruction ID: d9ba7fd96d2901dc1f4fbb6717aace39a7e3b403ca369dae7130baae53d65570
                                      • Opcode Fuzzy Hash: 0938f703f33466f9acef216b9335600b7b9bb6db91dd205e2d2ff6f55878e6e7
                                      • Instruction Fuzzy Hash: DAF02230A0D64D8FE794EB7888A95EC7FB0EF88300F8105FAD408C61A2DF3816498B81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B1F5D Relevance: .0, Instructions: 39COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1881371494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9b8b0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 31b23c9e4c82782e8b46b2d77083c3ee9f9fb09dff541cfd7654a2a7031d128d
                                      • Instruction ID: c1eb0404edce317978babe0bb91df529cfaa2f38082dc03cbd78c8e422a14783
                                      • Opcode Fuzzy Hash: 31b23c9e4c82782e8b46b2d77083c3ee9f9fb09dff541cfd7654a2a7031d128d
                                      • Instruction Fuzzy Hash: 0EF02831A1E64D5FD751EB788C655EC7FA0EF48200F4101F6D418CB2E3DB28A949C781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B1241 Relevance: .0, Instructions: 37COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1881371494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9b8b0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c27bb3ca9f1c2fc609b5d40c53f8eacd38f7d0e0ac17b7e669fb430352200e87
                                      • Instruction ID: c9dfec9c63295712f4ebe7c97c3728425da9bc93592a6970de723ad899e62fc2
                                      • Opcode Fuzzy Hash: c27bb3ca9f1c2fc609b5d40c53f8eacd38f7d0e0ac17b7e669fb430352200e87
                                      • Instruction Fuzzy Hash: B8F0BE3050E64D8FCB66EF24C8516E93BA0FF5A300F0501AAE41CCB196CB7ADA64CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B8399 Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1881371494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9b8b0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5e9fc76aafe138c74fdd65096719cfc2ae6319ab9fe35b40830e0b831a45cecc
                                      • Instruction ID: a30f529f492872ca304c64d20bc5706927862dbe2e5b2e64db69a2b251524933
                                      • Opcode Fuzzy Hash: 5e9fc76aafe138c74fdd65096719cfc2ae6319ab9fe35b40830e0b831a45cecc
                                      • Instruction Fuzzy Hash: FAF03C3191D69D8FDB51EB7888686EDBFF0FF19300F0504A7D458D60A2D7346558CB51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B0528 Relevance: .0, Instructions: 31COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1881371494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9b8b0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 432d24d1fd1050ca00c0840a8a7201cd64d0db7f0804005701bda6b8cd227d0c
                                      • Instruction ID: c14000dea9572f4d7f9f3dff157658dc6dd583c9076c943b63c4709b4fbfd70e
                                      • Opcode Fuzzy Hash: 432d24d1fd1050ca00c0840a8a7201cd64d0db7f0804005701bda6b8cd227d0c
                                      • Instruction Fuzzy Hash: B5F0823050960ECFDB69EF64D4116F577A0FF59304F000176E41CD71D6CA35A660CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B81E0 Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1881371494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9b8b0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 35853afa75b69b8af2630670ab5a25cd29eb57b7b51ebb0d863fcffa3e8693d1
                                      • Instruction ID: 93c7a68d977ef0b3331224a72bb2fcc2e540af28af874aaf0a4721c2dcc070e6
                                      • Opcode Fuzzy Hash: 35853afa75b69b8af2630670ab5a25cd29eb57b7b51ebb0d863fcffa3e8693d1
                                      • Instruction Fuzzy Hash: A1E0DF7298DE5C8BDF64AB699C2029877B1FB8D308F01026EE48CC7191E7355EA6CB41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B685C Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1881371494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9b8b0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5b18e3ae6d68f1bc2f74094ee4ecbd4cf08eb6e3b416cb339c5958d286e9631b
                                      • Instruction ID: a0bda24ba1446f777d164d855fed1601e2c05d2f4986bf1417e8ded4d3dd6b5c
                                      • Opcode Fuzzy Hash: 5b18e3ae6d68f1bc2f74094ee4ecbd4cf08eb6e3b416cb339c5958d286e9631b
                                      • Instruction Fuzzy Hash: 36E0C03190DA0C4BCB509FAD9C602C873B0FB4C308F01026DD44CC71C1D3319544C741
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B1F15 Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1881371494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9b8b0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 23ba22b8572c9bb666e20d31bca06677ba9c48c0ae40591f7c4364df5adebe8f
                                      • Instruction ID: 8bebb03e8e9f82e6d93361e3adf8cf6e57b0d7ea40d1fe8a6e5ee34cc2699785
                                      • Opcode Fuzzy Hash: 23ba22b8572c9bb666e20d31bca06677ba9c48c0ae40591f7c4364df5adebe8f
                                      • Instruction Fuzzy Hash: 02E09B3185F69E4FD7216F6049651DD7B60FF05300F0616BBD0588A1D3D76C9618CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B1C19 Relevance: .0, Instructions: 28COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1881371494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9b8b0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d24992e485735ca18b3b10e06babd7af33ca46ad9845132f942a62b29df2134c
                                      • Instruction ID: 1cc1f3f5f1927b86c6c415b5c3a98059dc78c018205414e97c9c95f8e4fe0153
                                      • Opcode Fuzzy Hash: d24992e485735ca18b3b10e06babd7af33ca46ad9845132f942a62b29df2134c
                                      • Instruction Fuzzy Hash: 4EF0A03194F39E4FDB626B6048A11D97B70FF06200F0A06BAD058CA1E3DA6896588782
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B2536 Relevance: .0, Instructions: 27COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1881371494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9b8b0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5f1e26ab06a89818f1311acbcaa7ec1ca5cd32cc861e7468ca42c0f95a40525b
                                      • Instruction ID: 933d3a308bf1a3af5faab54d7fec7e375052cbbff75b3aeb6b740db35a59ffb7
                                      • Opcode Fuzzy Hash: 5f1e26ab06a89818f1311acbcaa7ec1ca5cd32cc861e7468ca42c0f95a40525b
                                      • Instruction Fuzzy Hash: EEF01970A1485D4FDFA4DF24C854BD9B3B1FB58344F1086E6900DE3155DA30AEC58F80
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B0530 Relevance: .0, Instructions: 21COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1881371494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9b8b0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4052877536065a422ffdacf6b0f575e94888fbc971f21f8d59286a0c27209402
                                      • Instruction ID: 54dc86a14f543349dc7700b5e0320e69aa6d7c8dd2378ae33cffcb442974c070
                                      • Opcode Fuzzy Hash: 4052877536065a422ffdacf6b0f575e94888fbc971f21f8d59286a0c27209402
                                      • Instruction Fuzzy Hash: BCE04F3051960ECFDBA8EF68C450AA677A1FF58304F100539E41CD6190CB35E6A0CFC0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B0C61 Relevance: .0, Instructions: 19COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1881371494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9b8b0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6c3e7c8b5fba0c13c1c25a28d3a7b0f8af8a3f7f6d4c3d1b80ee886698c4dedc
                                      • Instruction ID: 6d43862fdfc81b5fe8046d8ff69ef1083bb3ad44c7a457707b8036116019e048
                                      • Opcode Fuzzy Hash: 6c3e7c8b5fba0c13c1c25a28d3a7b0f8af8a3f7f6d4c3d1b80ee886698c4dedc
                                      • Instruction Fuzzy Hash: 1FE08C30F1452D8ECB58EB98E810BEDB370FF85300F8000F1C00CE3186DA3069418B81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 00007FFD9B8B06FA Relevance: 7.7, Strings: 6, Instructions: 190COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1881371494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9b8b0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: =L_^$?L_I$L_^U$L_^X$L_^f$L_^g
                                      • API String ID: 0-3399030255
                                      • Opcode ID: f4801156bbce5df0b5c6c10c682d22bfe4ea4dfb296037fc788a2b4cf71e8952
                                      • Instruction ID: 6a395c2d2ba314665f3511997b977dd68493e6623f08d83c5490d6e986db0b67
                                      • Opcode Fuzzy Hash: f4801156bbce5df0b5c6c10c682d22bfe4ea4dfb296037fc788a2b4cf71e8952
                                      • Instruction Fuzzy Hash: ED518EA3B1F6951BE76257ED2C210A87B50FF4566071502F7E098870F7FC16AA068BC1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B06A5 Relevance: 6.5, Strings: 5, Instructions: 205COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1881371494.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9b8b0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ?L_I$L_^J$L_^K$L_^f$L_^g
                                      • API String ID: 0-841158015
                                      • Opcode ID: 699f3f4d504d7e448c560192c95e249343456fd478254dd19af2af204ed72d29
                                      • Instruction ID: 3c620171f82a6507c1976114c3ab05e2619944930ccd4038ad59ac6de986fbe3
                                      • Opcode Fuzzy Hash: 699f3f4d504d7e448c560192c95e249343456fd478254dd19af2af204ed72d29
                                      • Instruction Fuzzy Hash: 46519BA3B1F6990BE72617FD2C210B87750FF8566071506F7D098860E7F816AA068BC1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Executed Functions

                                      Function 00007FFD9B8A5141 Relevance: 9.4, Strings: 7, Instructions: 623COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1879479260.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b8a5000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: "$"$-$[$]${$}
                                      • API String ID: 0-2220975799
                                      • Opcode ID: 5920ec1e924245572f74682fcf43d9454ae8a44edf5be44999c6dd8c7a228269
                                      • Instruction ID: 0b3d865c1e9cbbc86e8714b9941e62b9d8b13a1ba9cbefbc1526690461fd717d
                                      • Opcode Fuzzy Hash: 5920ec1e924245572f74682fcf43d9454ae8a44edf5be44999c6dd8c7a228269
                                      • Instruction Fuzzy Hash: 3A42E670E1962D8FDBA8DF68C8A0BEDB7B1FF58301F5041A9D04DA7295DA346A81CF50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A06E0 Relevance: 6.5, Strings: 5, Instructions: 234COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1879479260.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b8a0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: =M_^$?M_I$M_^X$M_^f$M_^g
                                      • API String ID: 0-154525759
                                      • Opcode ID: f3af8ed530a959b4d3d17e3903c5bfe5325fab762ac404de893efca5560449ca
                                      • Instruction ID: 33de41a91770fb75a9eef55ca27c3fcfb3223d606929fa0f0d5d8e5f4d5dd820
                                      • Opcode Fuzzy Hash: f3af8ed530a959b4d3d17e3903c5bfe5325fab762ac404de893efca5560449ca
                                      • Instruction Fuzzy Hash: C1615763B0F68D9AE725579C7C250B87BA0FF45A60B4503F7E05C860E7FD256A028295
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A04F8 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1879479260.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b8a0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ?M_^
                                      • API String ID: 0-1086198800
                                      • Opcode ID: ed94b66d069c29ce1fcfa9143b9bf8233c5ce2ef5c204b7049bd0855be72eb11
                                      • Instruction ID: 3d8521bafb06154367cd6c1cff0b4bd3395916ff398081af40a7354ad919294e
                                      • Opcode Fuzzy Hash: ed94b66d069c29ce1fcfa9143b9bf8233c5ce2ef5c204b7049bd0855be72eb11
                                      • Instruction Fuzzy Hash: 2E01F531A0A25ECFC756EF6898A15F677A0FF05308F0402BAE05CC70D3EE29A551C795
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A0F8D Relevance: .4, Instructions: 376COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1879479260.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b8a0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5d3f0b67193d23b1530145afd0bbbe4745c78847c617bd1803f2a87a11b3ada2
                                      • Instruction ID: c4eee4dfb26f822c80f2799e5fb765654599f6d40afb2291563f292b4d95e10b
                                      • Opcode Fuzzy Hash: 5d3f0b67193d23b1530145afd0bbbe4745c78847c617bd1803f2a87a11b3ada2
                                      • Instruction Fuzzy Hash: F9D14C71E1965D8FDBACEB58D865BA8B7B1FF58300F4441B9D00DE32A2DE386981CB11
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A7C89 Relevance: .3, Instructions: 334COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1879479260.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b8a5000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 050c338074b1d30c483c0cd8f1182a2110f4d06b8253d24835ea2ae3b1581dfd
                                      • Instruction ID: 029bdbc84840311cc3f537ec7a26a079b1392ffe938a92787033e00d1f6cef83
                                      • Opcode Fuzzy Hash: 050c338074b1d30c483c0cd8f1182a2110f4d06b8253d24835ea2ae3b1581dfd
                                      • Instruction Fuzzy Hash: 79C18D74E0A51D8FEBA5DFA884A57BD7BB1FF58300F514179C00DD3296DA386A82CB60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A3239 Relevance: .3, Instructions: 310COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1879479260.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b8a0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dd2aac89dca33480d49aa3cb74aa8d5b4399bfb18c88cfd480d78cf4fb88c195
                                      • Instruction ID: 2577d3ba8292d67337c187970afcae245e713283573329d56a3fb02e1da44ceb
                                      • Opcode Fuzzy Hash: dd2aac89dca33480d49aa3cb74aa8d5b4399bfb18c88cfd480d78cf4fb88c195
                                      • Instruction Fuzzy Hash: CBB16E71E19A5D8FDBACEB58D865BA8B7A1FF58300F4441B9D00DE72E2DE346981CB01
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A05D8 Relevance: .3, Instructions: 281COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1879479260.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b8a0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 65de27709f97cdb6d2bc1a6cc3ce09268b35de42fdde4e21bad9b32655ddfb8b
                                      • Instruction ID: d9638f63021583494f95167e29688675b120fbe4741530340d955a603c15c04d
                                      • Opcode Fuzzy Hash: 65de27709f97cdb6d2bc1a6cc3ce09268b35de42fdde4e21bad9b32655ddfb8b
                                      • Instruction Fuzzy Hash: 6981E031B0DA494FDB68EF5C88605A977E2FF99700B15456AE49EC3292DE34E902C781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A6163 Relevance: .2, Instructions: 200COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1879479260.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b8a5000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a382a8022d4ac12edbfe32eae57056bbb4544d9c2a754d3382613cccaaeae953
                                      • Instruction ID: 3583de6d97c65e2309813eb3eaa055cc878227a313766ad0a2c907bb6b8bff75
                                      • Opcode Fuzzy Hash: a382a8022d4ac12edbfe32eae57056bbb4544d9c2a754d3382613cccaaeae953
                                      • Instruction Fuzzy Hash: F671B470E1491D8FEB94EFA8C8A5BECB7B1FF58300F5041BAD41DE3296DA3469818B41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A129D Relevance: .2, Instructions: 185COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1879479260.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b8a0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: be6936be933c18ebbc97c8d7827ffbe8dc2ff9ed2dd9fef1275ce3e89cd5c73f
                                      • Instruction ID: dda21314199da0e545e0db3918eb48de3e6f086afecd7db00e4081cacd75964a
                                      • Opcode Fuzzy Hash: be6936be933c18ebbc97c8d7827ffbe8dc2ff9ed2dd9fef1275ce3e89cd5c73f
                                      • Instruction Fuzzy Hash: 2451DF30B19A4D4FDB58EF1888645BA77E2FF99304B15417EE45EC7292DE34E902C781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A2CD9 Relevance: .2, Instructions: 167COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1879479260.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b8a0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3a6566c094f80b9352213ed58de54f3f3a084757c470d4643fb8e689d41cf406
                                      • Instruction ID: 55b8106ca91a02037857c674765e3698e297d3b487388b95cea0dd0541718278
                                      • Opcode Fuzzy Hash: 3a6566c094f80b9352213ed58de54f3f3a084757c470d4643fb8e689d41cf406
                                      • Instruction Fuzzy Hash: 97516071E09A4D8FDBA4EFA8C465AEDB7F1FF59300F01016AE00DE7292CA24A941CB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A238D Relevance: .2, Instructions: 157COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1879479260.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b8a0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b7e8d676dbd1cd7f2d0215ca274d4a17a9705aaf9234b8503e6ef88a963a91ce
                                      • Instruction ID: 4b4c90650024131ca63145d91525471075d975913bf879cc754fa590eb1b504d
                                      • Opcode Fuzzy Hash: b7e8d676dbd1cd7f2d0215ca274d4a17a9705aaf9234b8503e6ef88a963a91ce
                                      • Instruction Fuzzy Hash: 1351E461A0F69D4FE7B1ABA88D647A87BA0EF5A300F0541F7D08CC71E7DD282A85C751
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A16B5 Relevance: .1, Instructions: 146COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1879479260.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b8a0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2f01b93f5dc417e883cbe27201897bcd75ea3c3f066c2eafc913874a226a44a0
                                      • Instruction ID: 42ef3d5ceacfd0886a41155a360a94c22dd6a48461753d9337a38f4931545448
                                      • Opcode Fuzzy Hash: 2f01b93f5dc417e883cbe27201897bcd75ea3c3f066c2eafc913874a226a44a0
                                      • Instruction Fuzzy Hash: BB416C31B0EA4A4FD76D9B6898711B9B7D1FF8A250B0941BFE44DC72E6DE18B9018341
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A1828 Relevance: .1, Instructions: 116COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1879479260.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b8a0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 31a5c02048c366006308ce5201f6318245990a00721957686cfe32df16c66715
                                      • Instruction ID: 81dfd5026df9d0b9b50f8e493e0f7379b3885173aa04c3c51a371722d7c5e403
                                      • Opcode Fuzzy Hash: 31a5c02048c366006308ce5201f6318245990a00721957686cfe32df16c66715
                                      • Instruction Fuzzy Hash: 09317031E1E61E8AE774BB9484217FCB2A1FF5A300F410279D45E931E5DF396A45CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A1CA9 Relevance: .1, Instructions: 109COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1879479260.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b8a0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2149cc4de0aed8fd91082e16453dbe27143985232f138087675de95aa8cb8a0d
                                      • Instruction ID: 6f4f8edf730aa17f444c6157ef33fbdabff64625ac9cb746452fadfef8cbf7ff
                                      • Opcode Fuzzy Hash: 2149cc4de0aed8fd91082e16453dbe27143985232f138087675de95aa8cb8a0d
                                      • Instruction Fuzzy Hash: D6417E71E09A1D8FDB54EF98D8A4AECBBF0FF09300F4000AAE009E72A1DB349945CB10
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A64E9 Relevance: .1, Instructions: 105COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1879479260.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b8a5000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3e06641b46f1d914ad8fef1dbd4fdd248cbfbbeafabe965d860112e3d5c76db6
                                      • Instruction ID: 4562b5ffdc299491b0309e6664804ccf6beab5906e20acd33a30ffeff07ded69
                                      • Opcode Fuzzy Hash: 3e06641b46f1d914ad8fef1dbd4fdd248cbfbbeafabe965d860112e3d5c76db6
                                      • Instruction Fuzzy Hash: 31418D70E096498FEB55DFA4C865AEDBBB1FF59300F5101BAD009D729ACB389A81CF41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A5FDD Relevance: .1, Instructions: 105COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1879479260.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b8a5000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c22224e4faec90153b27fbcf1d777ede2b78d6bad7603be362323b00d5732127
                                      • Instruction ID: c479a1bd919ba11a527b1b74535c75e482b097f6574309fe38985c951ea9951f
                                      • Opcode Fuzzy Hash: c22224e4faec90153b27fbcf1d777ede2b78d6bad7603be362323b00d5732127
                                      • Instruction Fuzzy Hash: 32415D70E14A4D8FDB94EFA8D865AEDBBF1FF48310F05017AE008E7296DA3469418B91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A83F5 Relevance: .1, Instructions: 103COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1879479260.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b8a5000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e7c9149bdb85b1f72b19deb9f45825feefc435d139f31184d17ed380e45d50ea
                                      • Instruction ID: b5e9e5c1c6bb30469b08ca02793f8751844d2ed4c2a59293a09c846116b2d2aa
                                      • Opcode Fuzzy Hash: e7c9149bdb85b1f72b19deb9f45825feefc435d139f31184d17ed380e45d50ea
                                      • Instruction Fuzzy Hash: 13315C31E0A61E8FDB58DFA4D4646FDB7B5EF48301F41017AE019A32D5CA385A41CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A5A29 Relevance: .1, Instructions: 102COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1879479260.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b8a5000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a1ce2e90fbc767a4296f872ab08700d34ca919d08c7d3843b404d4f7e9930ac0
                                      • Instruction ID: 5e74ee42e3547d0fc64be560c5a2c3e8c079ab06f84f6e38e5ce23b3bb6ec512
                                      • Opcode Fuzzy Hash: a1ce2e90fbc767a4296f872ab08700d34ca919d08c7d3843b404d4f7e9930ac0
                                      • Instruction Fuzzy Hash: 53315C71B0894D8FDB94EF9CC495AADB7F1FF98305F10056AE01DD7295CB35A9428B40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A5931 Relevance: .1, Instructions: 98COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1879479260.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b8a5000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 63c0959c17ee2e32595c5087fc7086a9b4eec76726ecf8d86e13227111a2be88
                                      • Instruction ID: b884b8c8660406068421ece7426ca80749fd99939aecc6d0ee40d55f90d741a7
                                      • Opcode Fuzzy Hash: 63c0959c17ee2e32595c5087fc7086a9b4eec76726ecf8d86e13227111a2be88
                                      • Instruction Fuzzy Hash: B4312620A0F6CD5FE7A69B748864AE47FB1EF4B310F0D04EED088DB197C9185945C352
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A2BC9 Relevance: .1, Instructions: 91COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1879479260.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b8a0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f7f462b48c2fa4219576813cfe6dad9678d3c2dc2fa14798934b0fca7ec191f4
                                      • Instruction ID: c00ab8dacdd34e5df0ad74eeaad5de679bd2179a6400084a9d7ab56429e9c680
                                      • Opcode Fuzzy Hash: f7f462b48c2fa4219576813cfe6dad9678d3c2dc2fa14798934b0fca7ec191f4
                                      • Instruction Fuzzy Hash: 7F312B70E0A64E8FDB59DFA8D9506EDB7B1FF48300F10057AE019E3291DB389951CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A186A Relevance: .1, Instructions: 64COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1879479260.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b8a0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0eea6d1da4db9aa53906637d4c67b336d9bcbcc22c6eab99db78b12d413c6da9
                                      • Instruction ID: 3eb9ddf89bf31ed275270a7a055c8b6ce69cd92175d3815db1d0d97dabc32b71
                                      • Opcode Fuzzy Hash: 0eea6d1da4db9aa53906637d4c67b336d9bcbcc22c6eab99db78b12d413c6da9
                                      • Instruction Fuzzy Hash: B611FC31E1A52D8ED769EB60D4617FCB275FF06301F4110B9D04DA2292DE396E44CB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A08B1 Relevance: .0, Instructions: 40COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1879479260.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b8a0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f4fa76c2220675e033af33e4187891cfeedecf1765dfe9cac3ee46659c276870
                                      • Instruction ID: 9a11d5e20d8a6e62fa85ee712fb4e79035a7cb549d80db9566ce7f0c8a6e5ee9
                                      • Opcode Fuzzy Hash: f4fa76c2220675e033af33e4187891cfeedecf1765dfe9cac3ee46659c276870
                                      • Instruction Fuzzy Hash: 41F02230A1924E4FD394EB6488A55E8BFB0FF49300F8101EAD00CC60A2DF2826558300
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A1F5D Relevance: .0, Instructions: 39COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1879479260.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b8a0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a2ff7bf61833a1d02d2b4d9caa7468204a7ca1d5fc397017b7420cc0273a75d1
                                      • Instruction ID: 89aec98eea5033b2d85c61f8c9a8164de3a14669c8fabb5282681d1ac3591117
                                      • Opcode Fuzzy Hash: a2ff7bf61833a1d02d2b4d9caa7468204a7ca1d5fc397017b7420cc0273a75d1
                                      • Instruction Fuzzy Hash: 57F02831A4EA8D4FD715EB6888655EC7FA0FF45200F4501F6D458CB1E3EB386945C341
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A1241 Relevance: .0, Instructions: 37COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1879479260.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b8a0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4b10c09ba03b7bf0c3012a945ba833de592abb1c0582a75ac39f0c86476c29a1
                                      • Instruction ID: f223197e4087428c2f3635a0dcedc09ba7c333b087cd94a4200a71155a387619
                                      • Opcode Fuzzy Hash: 4b10c09ba03b7bf0c3012a945ba833de592abb1c0582a75ac39f0c86476c29a1
                                      • Instruction Fuzzy Hash: B9F0B43050D64D8FCB55DF14C4516E57BA0FF56300F0501AAE41CC7192CB79DA64CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A8399 Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1879479260.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b8a5000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 26f04155982989f8600ce0ac4d0f90bd18d31f4cec8ee2375f310dbef9501f5a
                                      • Instruction ID: b86191e9ae95e51a6c0a64fc94c6a66c806de541d07f2975c73c3c7c8b0e07ef
                                      • Opcode Fuzzy Hash: 26f04155982989f8600ce0ac4d0f90bd18d31f4cec8ee2375f310dbef9501f5a
                                      • Instruction Fuzzy Hash: D4F08C3080E68D8FDB51EBA888682ED7FF0FF19304F4504A7D008D60A2DB346654CB21
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A0528 Relevance: .0, Instructions: 31COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1879479260.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b8a0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0611d6cc732bddabb11b29671c4610bada4175630f9603a274eb87f472650ad7
                                      • Instruction ID: d6900971d0672197baec63f717fb73311d13d4350e1b79349f57f883aea61e8c
                                      • Opcode Fuzzy Hash: 0611d6cc732bddabb11b29671c4610bada4175630f9603a274eb87f472650ad7
                                      • Instruction Fuzzy Hash: 1EF05E3050960E8FDB55EF5494216E577A0FF59304F000176E41CD2195CA35E660C781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A81E0 Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1879479260.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b8a5000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7947c05737feb902556589f600c8c4fdd55b3f43da46109a951f84e92c06d79a
                                      • Instruction ID: 177d08f533422be18da5ea660d2b8b510f6b0d31ff5337c95e642aaabc41f3ee
                                      • Opcode Fuzzy Hash: 7947c05737feb902556589f600c8c4fdd55b3f43da46109a951f84e92c06d79a
                                      • Instruction Fuzzy Hash: CBE0D871949D4C8BCB649B599C2029577B1FB4D304F41066DE44CC7191D7355E56C321
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A685C Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1879479260.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b8a5000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ac9ede0e47586a88e492e8f6d9408796d47db806b192e29922c3739a53dc66f2
                                      • Instruction ID: 66179f01e23e7aaa0beb2b0866285ddbc1bedf3224308ce7378dec91a5eb95d8
                                      • Opcode Fuzzy Hash: ac9ede0e47586a88e492e8f6d9408796d47db806b192e29922c3739a53dc66f2
                                      • Instruction Fuzzy Hash: 8FE06832909A0C4BCB509F989C6028873A4FB4C308F010269D44CD7184D3215544C301
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A1F15 Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1879479260.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b8a0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 80b385a42bce4c852764c522d375b0a8d5a7fe3dec65120092c17d01a1916925
                                      • Instruction ID: 61fa876d48b7d9e159915463b5e9ebf3a1559aceccce50a2f69ad9474c70305a
                                      • Opcode Fuzzy Hash: 80b385a42bce4c852764c522d375b0a8d5a7fe3dec65120092c17d01a1916925
                                      • Instruction Fuzzy Hash: A0E0223180F2CE4FD7226F6088261E97B60FF06300F0A06BBD05C8A0D3DB2C9628C741
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A1C19 Relevance: .0, Instructions: 28COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1879479260.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b8a0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 422a9c0d5ff2148cfd47dc44a07e2f60a8eb3489fbf2058b2d3d0ef83fb33f85
                                      • Instruction ID: e764ec8c1b3b531a343fbad1aa230ff1f693fcaadfd3f80e9af0df34dcaf136a
                                      • Opcode Fuzzy Hash: 422a9c0d5ff2148cfd47dc44a07e2f60a8eb3489fbf2058b2d3d0ef83fb33f85
                                      • Instruction Fuzzy Hash: F1F0E53194F38E4FD7666B6048651D97F70FF06200F0A06B6D058C61E3DB6C9658C352
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A2536 Relevance: .0, Instructions: 27COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1879479260.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b8a0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4648886f67a32d81c7a0fad7fa97f462b971f555d38c4b7bc35f6443ff4863fe
                                      • Instruction ID: b540e1dbafeeac457d47bb962c160761b207b4b2d062b3d7571bac75a15970eb
                                      • Opcode Fuzzy Hash: 4648886f67a32d81c7a0fad7fa97f462b971f555d38c4b7bc35f6443ff4863fe
                                      • Instruction Fuzzy Hash: 0FF0A271A1495E4FDFA8DF58C894BA9B3B1FB58344F5086E6900DE3255DA30AEC58F40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A0530 Relevance: .0, Instructions: 21COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1879479260.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b8a0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4052877536065a422ffdacf6b0f575e94888fbc971f21f8d59286a0c27209402
                                      • Instruction ID: 30e23b61984462143688f0acb97c49aa7f228fe9299e9ff039252866cc2b0332
                                      • Opcode Fuzzy Hash: 4052877536065a422ffdacf6b0f575e94888fbc971f21f8d59286a0c27209402
                                      • Instruction Fuzzy Hash: 3DE04F3450960ECFDBA8EF58C4506A677A1FF59304F100539E41CD2190CB35E6A0CB80
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A0C61 Relevance: .0, Instructions: 19COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1879479260.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b8a0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: eecf91e0a390ba38c013b8e5d6d2f467ecca52005facec27d46b9e9e9d82b10f
                                      • Instruction ID: d55085b4d13b5fe1de175566236738921f495de742280a9d69738f5f28d977e5
                                      • Opcode Fuzzy Hash: eecf91e0a390ba38c013b8e5d6d2f467ecca52005facec27d46b9e9e9d82b10f
                                      • Instruction Fuzzy Hash: 28E0EC31F1551D8EDB58EB98E8517EDB771FF89315F8005B1D11CE3196DA306A418B41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 00007FFD9B8A06FA Relevance: 7.7, Strings: 6, Instructions: 190COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1879479260.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b8a0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: =M_^$?M_I$M_^U$M_^X$M_^f$M_^g
                                      • API String ID: 0-3044347950
                                      • Opcode ID: 66fdb44b677144909655499dbc431b2ce1e0a586a1def1fae2886c7bf05c744d
                                      • Instruction ID: 0131e3a94caf0220e34a8ae220d97852959a8a9b56db11ca76dc861bce4287de
                                      • Opcode Fuzzy Hash: 66fdb44b677144909655499dbc431b2ce1e0a586a1def1fae2886c7bf05c744d
                                      • Instruction Fuzzy Hash: 12517B53B0F6894BE722579C3C250B8BB91FF46A6075907F7E09C860E7FC16AA028295
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A06A5 Relevance: 6.5, Strings: 5, Instructions: 205COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1879479260.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b8a0000_BxpXDwLzzgPDKkwHFtsUbGgAjn.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ?M_I$M_^J$M_^K$M_^f$M_^g
                                      • API String ID: 0-1283126691
                                      • Opcode ID: 1b6c81797b0860d747f6da035ae7634e1ef66cf5333b87bb5f4f6334451e86ed
                                      • Instruction ID: ed3dacb467e6259db3e102457e2a6bbf744c0f72c73059d6c052dc00d5bf8751
                                      • Opcode Fuzzy Hash: 1b6c81797b0860d747f6da035ae7634e1ef66cf5333b87bb5f4f6334451e86ed
                                      • Instruction Fuzzy Hash: B8518A63B0F68D8BE72557AC3C200B87B91FF46B6071507F7D09C860E7FC16A9068295
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Executed Functions

                                      Function 00007FFD9B890F88 Relevance: .6, Instructions: 614COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1880452904.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 45575712198ef4fc3ae9cf0ed717b7cebdbd593251510a47ed21bb7d888f1855
                                      • Instruction ID: 3aee0c97da8f1df1d34e245d8918018d219321decef00570f2d8582aaa24f46e
                                      • Opcode Fuzzy Hash: 45575712198ef4fc3ae9cf0ed717b7cebdbd593251510a47ed21bb7d888f1855
                                      • Instruction Fuzzy Hash: AB42C770E1962D8FDBA8DF68C8A4BEDB7B1FF58301F5041A9D04DA7295DA346A81CF40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8906E0 Relevance: 6.5, Strings: 5, Instructions: 238COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1880452904.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: =N_^$?N_I$N_^X$N_^f$N_^g
                                      • API String ID: 0-3255808656
                                      • Opcode ID: 6a6997b739e3bae795b445deeb988b256d1fe587a40fb9e7f442c9d23bdec509
                                      • Instruction ID: 6740fe05a93645f13b30c810df476bf829f402a33846b129a62fba5a9da7e976
                                      • Opcode Fuzzy Hash: 6a6997b739e3bae795b445deeb988b256d1fe587a40fb9e7f442c9d23bdec509
                                      • Instruction Fuzzy Hash: CE618C63B0F6895BEB2697DC6CA51E87FA1FF49760B4502F7E058C70E7EC156A028381
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B890F98 Relevance: 1.6, Strings: 1, Instructions: 371COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1880452904.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: &
                                      • API String ID: 0-2822232526
                                      • Opcode ID: 2efeb19350d8eb9a3ddb36157059fdb39942992721495cea36b50d515f2efefa
                                      • Instruction ID: 79e92b488d96f1dde89ff3c48105e7443c9910ece0acc8467a095fdaa0716f40
                                      • Opcode Fuzzy Hash: 2efeb19350d8eb9a3ddb36157059fdb39942992721495cea36b50d515f2efefa
                                      • Instruction Fuzzy Hash: 78D13B71E1965D8FDBACDB58D8A4BE8BBB1FF58300F4441B9D01DE32A6DA346981CB01
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8904F8 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1880452904.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ?N_^
                                      • API String ID: 0-1123592777
                                      • Opcode ID: f4031201e5a582e0a2d396e6bfbb3b2db755ad948456b1cf2f40b264d5d0c7e3
                                      • Instruction ID: f81a0918c252fd9d7bca808ca4fb4401466ed33aac772872a09b32639ecbfd15
                                      • Opcode Fuzzy Hash: f4031201e5a582e0a2d396e6bfbb3b2db755ad948456b1cf2f40b264d5d0c7e3
                                      • Instruction Fuzzy Hash: 7401D231A0D25E9FDB56EFA898A15F67BA0EF05308F0401BAE05CC6093EA68A551C781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B897C89 Relevance: .3, Instructions: 334COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1880452904.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f1d88e2323b8f72628cf7fc276e17ea4ae5e55ecfc3c0781c445e08d66a0f98a
                                      • Instruction ID: a89ec3bd4dc70c03afd73bf5000a1caeeca27aabace206532bdcaa28a61ac724
                                      • Opcode Fuzzy Hash: f1d88e2323b8f72628cf7fc276e17ea4ae5e55ecfc3c0781c445e08d66a0f98a
                                      • Instruction Fuzzy Hash: 53C17F74A0951E8FEBA4DFA884957BD7BB1FF98341F51817AD00DD32A6CB386942CB40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B893239 Relevance: .3, Instructions: 310COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1880452904.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6653a189eab84bcab07567fa507e12361824355442a5a0d40cf81b4208bdb9cc
                                      • Instruction ID: 33284b96bf55c1c2b929db312d2ac6ec890b518d908c870a2f29d37b401cedaa
                                      • Opcode Fuzzy Hash: 6653a189eab84bcab07567fa507e12361824355442a5a0d40cf81b4208bdb9cc
                                      • Instruction Fuzzy Hash: 2BB14C71E1965D8FDBACDB58D8A4BA8B7B1FF58300F4441B9D00DE72A6DE346980CB01
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8905D8 Relevance: .3, Instructions: 281COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1880452904.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cf855fdfd39757b507d9a577cfc741b7bbdd8ec50778bbc3ab2b421243a93429
                                      • Instruction ID: 6d84a1e1124e9571c2d80a7d2d5d6cb123e27c95614c079d43f8eb418264276b
                                      • Opcode Fuzzy Hash: cf855fdfd39757b507d9a577cfc741b7bbdd8ec50778bbc3ab2b421243a93429
                                      • Instruction Fuzzy Hash: F281E231B1DA494BDF68EF5C88615B97BE2FF9C300B15457EE45EC3292DE34A9028781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B896163 Relevance: .2, Instructions: 200COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1880452904.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9b46c79dafb3deffe762429f6c20c3f5e5f436bddc6ffa23b47643312694dc3d
                                      • Instruction ID: 683624d3662f176d428007a2863deb4bdd9aed2a79cfde475747ef50fdb59b91
                                      • Opcode Fuzzy Hash: 9b46c79dafb3deffe762429f6c20c3f5e5f436bddc6ffa23b47643312694dc3d
                                      • Instruction Fuzzy Hash: 3D71A570E14A1D8FEB94EFA8C895BEDB7B1FF58300F5041AAD41DE3296DE3469818B41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B895931 Relevance: .2, Instructions: 198COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1880452904.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: df158e902dda5770031fc1fb8a8fe02a89c6953e46be78738f8f130c30ec121d
                                      • Instruction ID: 98ff6a3aac366b1f47fb7c81bfb52cd3a41d745da41f0b719807aaf2a18e15d7
                                      • Opcode Fuzzy Hash: df158e902dda5770031fc1fb8a8fe02a89c6953e46be78738f8f130c30ec121d
                                      • Instruction Fuzzy Hash: 1661E830E0AA8D8FDB95EF68C464AADBBF1EF59314F0405BAE00DD7296CE34A941C741
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B89129D Relevance: .2, Instructions: 185COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1880452904.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 58e2961b1ea3757c8392de59f5e8cc7c7250528a1f1596243e68a1d279359c93
                                      • Instruction ID: 4a994c96676e8ed0b3a473769e2da9a284a9587cdab3cbe9fd51bda8c3de18b3
                                      • Opcode Fuzzy Hash: 58e2961b1ea3757c8392de59f5e8cc7c7250528a1f1596243e68a1d279359c93
                                      • Instruction Fuzzy Hash: 8F51DF30B1CA4A4FDB58EF5888645BA7BE2FF98304B15417EE45EC7292DE34E8028781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B892CD9 Relevance: .2, Instructions: 167COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1880452904.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 170b7e2f6f40b4ed6183ebbd835a3ad73134f0a550333bfb333d1e8505713021
                                      • Instruction ID: ba3b9e90740bbd95f8cb1d81de129e513bcac5a047be3791b74299c1f081a322
                                      • Opcode Fuzzy Hash: 170b7e2f6f40b4ed6183ebbd835a3ad73134f0a550333bfb333d1e8505713021
                                      • Instruction Fuzzy Hash: 75515071E0995D8FDF95EFA8C865AECBBF1FF59300F41016AE00DE7292CA64A941CB40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B89238D Relevance: .2, Instructions: 157COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1880452904.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9e6cad9c2ac0c4459a1fb7d905c407632643b8dea7cd2b657c6d9ee405396dd8
                                      • Instruction ID: f7bf7d2eaf7ed67202365577e024eccbf5e1ef5d51ee2ae643f49cc290919a87
                                      • Opcode Fuzzy Hash: 9e6cad9c2ac0c4459a1fb7d905c407632643b8dea7cd2b657c6d9ee405396dd8
                                      • Instruction Fuzzy Hash: 6951B561A0E69D4FEBA59BA88C657A87FA0EF59300F0540FBD08CC71E7DD246E85C741
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B891828 Relevance: .1, Instructions: 116COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1880452904.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bb3057290304f00da395ea2e3505f01b5b1b12c3a555ddf829e8cfb1f4570ceb
                                      • Instruction ID: 5f2f93aec6c9dcb71bebea6d4874afc480783a2f8bab7311b9c3d2602e3229a6
                                      • Opcode Fuzzy Hash: bb3057290304f00da395ea2e3505f01b5b1b12c3a555ddf829e8cfb1f4570ceb
                                      • Instruction Fuzzy Hash: 43319231E1E61E9AEB74BB9084217F8B6A1FF4A300F410279D45EA21E5CF396A45DB80
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B891CA9 Relevance: .1, Instructions: 109COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1880452904.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: da7494730a8f9ac99f6f8416a7c739ee32f98eaba70c2b373371e622dc092362
                                      • Instruction ID: 768efaf2062f4b19242fd2b40144f79bba8bdd72b0e857e39693bddf6ccc3da0
                                      • Opcode Fuzzy Hash: da7494730a8f9ac99f6f8416a7c739ee32f98eaba70c2b373371e622dc092362
                                      • Instruction Fuzzy Hash: BF415F35E19A1D9FDB54EB98C8A4AECBBF1FF59301F4100AAD009E72A1DB389945CB40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B895FDD Relevance: .1, Instructions: 105COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1880452904.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 490be3e05d415e0b2d2d8259d0b65570ea4307081eaeefc1565caef120a84c26
                                      • Instruction ID: 3bac03adc3151155f03f2fcf3b9b52cf4f634a58be8de3539dd0650955f147da
                                      • Opcode Fuzzy Hash: 490be3e05d415e0b2d2d8259d0b65570ea4307081eaeefc1565caef120a84c26
                                      • Instruction Fuzzy Hash: 3C416D70E1464D8FEB44EF98D865AEDBBB0FF48310F01017AE018E3296DA3469418B91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8964E9 Relevance: .1, Instructions: 105COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1880452904.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3ab7237ffae021dfdb93f2bd7edfcc5d929d6cfb97b62bba6afd82c3e30b9551
                                      • Instruction ID: eda882d809ecc78bcfe34c7658ff53296492c1546730212aa3153f04432b6512
                                      • Opcode Fuzzy Hash: 3ab7237ffae021dfdb93f2bd7edfcc5d929d6cfb97b62bba6afd82c3e30b9551
                                      • Instruction Fuzzy Hash: D6418C70E096498FEB55EFA4C865AEDBBB1FF4A300F5101BAD049D7296CB389981CF41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8983F5 Relevance: .1, Instructions: 103COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1880452904.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8ca210b0b9b7553e4929222440219668e000e60b8ab30b46b90b442a4127cd64
                                      • Instruction ID: f4692860c156d8ea6f2ee8a39040b53b1cd4239806bbcdade5aa55b22bdbb0f9
                                      • Opcode Fuzzy Hash: 8ca210b0b9b7553e4929222440219668e000e60b8ab30b46b90b442a4127cd64
                                      • Instruction Fuzzy Hash: 94315B31E0961E8FDB58DFA4D4646FDBBB1EF48305F01017AE019A22D1CA386A41CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B892BC9 Relevance: .1, Instructions: 91COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1880452904.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 28e98cea766d649fd7d20d043d5eac3ab96b2d33c5c774e0aaf90e675b72275b
                                      • Instruction ID: 18dd55080e933d950fbe85f515913c48e48def4989b688a363134813da908cff
                                      • Opcode Fuzzy Hash: 28e98cea766d649fd7d20d043d5eac3ab96b2d33c5c774e0aaf90e675b72275b
                                      • Instruction Fuzzy Hash: 4C310671E0A65E8FDB59DFA8D8506EDBBB1FF48300F10056AE019E3291DB38A941CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B89186A Relevance: .1, Instructions: 64COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1880452904.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bfbd15c629ce402446f2ca7244608ceef745f73244a00a71bc5ac12f9f1e0275
                                      • Instruction ID: a8114367ee7c9cc9b59218666ceedad555ef2a1e87b43209dde3730cf4b2ade4
                                      • Opcode Fuzzy Hash: bfbd15c629ce402446f2ca7244608ceef745f73244a00a71bc5ac12f9f1e0275
                                      • Instruction Fuzzy Hash: 0011FC31E1A52D8EDB69EB60D4617FCB671EF06301F8114B9D04EA2292CE356E44DB40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8908B1 Relevance: .0, Instructions: 42COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1880452904.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f981969a3ed04eb4a80332ca905148bd261154880f943275b06882324e234d5f
                                      • Instruction ID: bb471eef550f6d8f649d52ff6d4ff342967a6b83cbcb272a8ac85ab57b0e5f2a
                                      • Opcode Fuzzy Hash: f981969a3ed04eb4a80332ca905148bd261154880f943275b06882324e234d5f
                                      • Instruction Fuzzy Hash: 8AF02831A1964D8FD794EB6888995EC7FB0EF49300F8101FAD008D71A2DF3816458741
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B891F5D Relevance: .0, Instructions: 39COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1880452904.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9fc3befdab20c6480cffba0a1dca6c3431f74121454bdd716ade23eeafb00bae
                                      • Instruction ID: 974281a46c6cd217830ab3c0fdb504ddbbdfd48eaece520b630f53f39258651c
                                      • Opcode Fuzzy Hash: 9fc3befdab20c6480cffba0a1dca6c3431f74121454bdd716ade23eeafb00bae
                                      • Instruction Fuzzy Hash: A0F02831A0E64D5FEB15EB6888A55ECBFA0EF44200F4101F6D418C71E3EB286946C341
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B891241 Relevance: .0, Instructions: 37COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1880452904.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a9f5de71d01e310d25de19f42e5ee6523df042c258de0c6b1d5f996b249653be
                                      • Instruction ID: 683c7e45f6f642c667c76ad803354b27e57d7bdbe11b3004d70b4304ad76e78f
                                      • Opcode Fuzzy Hash: a9f5de71d01e310d25de19f42e5ee6523df042c258de0c6b1d5f996b249653be
                                      • Instruction Fuzzy Hash: D8F0BE3050E64D8FCB66EF54C8556E93FA0FF5A304F0501AAE41CC7192CB7ADA65CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B898399 Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1880452904.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 84076b5cb1771c9b9f6e62df6d028f9d3c691a5403e041b9549d9a1b91496198
                                      • Instruction ID: 973e39bc55e4f3e50bfa413c253c8de4928af218edb9e9094174672a4846466a
                                      • Opcode Fuzzy Hash: 84076b5cb1771c9b9f6e62df6d028f9d3c691a5403e041b9549d9a1b91496198
                                      • Instruction Fuzzy Hash: 32F0193191D68E8FDB51EBA888686AD7FF0FF1A304F0505A7D458D60A2DA3455448B41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B890528 Relevance: .0, Instructions: 31COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1880452904.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5ae5eadda36293c1844d6bf955b0813ebf6c4e0d205ad985bb9f61d872076c60
                                      • Instruction ID: c73a1cfb75593f64e3e0008c71f261493adb5a5bc827a0156a1bef8181961530
                                      • Opcode Fuzzy Hash: 5ae5eadda36293c1844d6bf955b0813ebf6c4e0d205ad985bb9f61d872076c60
                                      • Instruction Fuzzy Hash: 84F05E3050960E8FDB55EF9494116E577A0FF59304F000176E41CD2195CA35A660C781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8981E0 Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1880452904.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 885604a77612b4007665538a6f7475fabccb69192ee82b013977f59083f09ceb
                                      • Instruction ID: e2ec2e70e633c6ae88e18efbee7d7a10bc5649352f1e22dd7151f5da005ff06a
                                      • Opcode Fuzzy Hash: 885604a77612b4007665538a6f7475fabccb69192ee82b013977f59083f09ceb
                                      • Instruction Fuzzy Hash: 31E06832A49D0D8BCF609F98AC102843BB1FB4D304F01026DE04CC3180D3355E52C300
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B89685C Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1880452904.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: eb421aba41ecdfd5ea69e883e024c37e4698630aab55df376e19af45b9b23214
                                      • Instruction ID: 716a5aa4a74f656992352075b491c820e1c1d6a9f034f43921e73d89af15dad2
                                      • Opcode Fuzzy Hash: eb421aba41ecdfd5ea69e883e024c37e4698630aab55df376e19af45b9b23214
                                      • Instruction Fuzzy Hash: CFE06872A09A0C4BDB509F9CAC6028837A0FB4C308F010269D44CD7180D3215544C301
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B891F15 Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1880452904.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2f7d79206b12b07de61fd83f9da4de32b370e39b841b084be9c66662cce74ff9
                                      • Instruction ID: 5dc29335e76615ef497502ba6ce31a1219a49da787af1f3546836c0c06e8d05a
                                      • Opcode Fuzzy Hash: 2f7d79206b12b07de61fd83f9da4de32b370e39b841b084be9c66662cce74ff9
                                      • Instruction Fuzzy Hash: DAE0923185F68E5FDB266F6089661E97F60FF05310F0616FBD058861D3DB6C9628C741
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B891C19 Relevance: .0, Instructions: 28COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1880452904.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b1f98a806bba9975e56d2760c8cbbb1c488bb2ae63c72e8e6b2c22bed4af81a9
                                      • Instruction ID: 8b27181e0ccf9da73061104166d19654a517ccd7793feb9473d6d962f14127ea
                                      • Opcode Fuzzy Hash: b1f98a806bba9975e56d2760c8cbbb1c488bb2ae63c72e8e6b2c22bed4af81a9
                                      • Instruction Fuzzy Hash: 24F0E53194F38E4FDB666B6048611D97F70FF06600F0A06BAD068C61E3DB6CD658C342
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B892536 Relevance: .0, Instructions: 27COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1880452904.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 03fc06d905c4f166435966ea36bd903e1257e74ce6f20be9d694e6b390a92519
                                      • Instruction ID: ebde122488c6f63defa1103dbbf2fce84b9f5413e17006baf717eb10a4c8eeb1
                                      • Opcode Fuzzy Hash: 03fc06d905c4f166435966ea36bd903e1257e74ce6f20be9d694e6b390a92519
                                      • Instruction Fuzzy Hash: 50F01271A0485E4FDFA8EF18C894BA9B3B1FB58340F1086E6900DE3255DA34AEC58F80
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B890530 Relevance: .0, Instructions: 21COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1880452904.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4052877536065a422ffdacf6b0f575e94888fbc971f21f8d59286a0c27209402
                                      • Instruction ID: f30041032725aa9d0cdc4c1f37f2548c3d31e79fd394116e7dc55691a201d6d8
                                      • Opcode Fuzzy Hash: 4052877536065a422ffdacf6b0f575e94888fbc971f21f8d59286a0c27209402
                                      • Instruction Fuzzy Hash: 57E04F3050960ECFDFA4FF58C4506A67BA1FF58344F100539E41CD2190CB35E6A0CB80
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B890C61 Relevance: .0, Instructions: 19COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1880452904.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e2f98d8bf6cfab87df4dec8c2a7e27170e429bf98a96eeb2da1f191f7cde259d
                                      • Instruction ID: 3fa93bba9618b4c3b44f0b48bbaab42a62faedbea09665f56a64c51910b6bf02
                                      • Opcode Fuzzy Hash: e2f98d8bf6cfab87df4dec8c2a7e27170e429bf98a96eeb2da1f191f7cde259d
                                      • Instruction Fuzzy Hash: 6AE0EC31F1551D8EDB58EB98E8117EDB771FF85315F8005B1D11CE3196DA3069458B41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 00007FFD9B8906FA Relevance: 7.7, Strings: 6, Instructions: 190COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1880452904.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: =N_^$?N_I$N_^U$N_^X$N_^f$N_^g
                                      • API String ID: 0-893460077
                                      • Opcode ID: 492069b6d2fae864101df20032f08b8a213227997577dc6a43dc202ffccb7524
                                      • Instruction ID: 8dc97e7f07101676ef18734aeee0b7967a5b85ea0b2859dab36eab07a6171790
                                      • Opcode Fuzzy Hash: 492069b6d2fae864101df20032f08b8a213227997577dc6a43dc202ffccb7524
                                      • Instruction Fuzzy Hash: 63518A63B0F6851BEB2297DC6CA51A87FA1FF45B6075901F7E198C70A7F815A90283C2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8906A5 Relevance: 6.5, Strings: 5, Instructions: 205COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1880452904.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ?N_I$N_^J$N_^K$N_^f$N_^g
                                      • API String ID: 0-3465608391
                                      • Opcode ID: 0e6d96fb6f5052b4dda33a4173e45613758cf99961ec4940e907fce15c08cde3
                                      • Instruction ID: 131f10e2c7c1654ef6655b4177617c089ce11ab38812a706647eca96fa643a23
                                      • Opcode Fuzzy Hash: 0e6d96fb6f5052b4dda33a4173e45613758cf99961ec4940e907fce15c08cde3
                                      • Instruction Fuzzy Hash: 5351A963B0F6951BEB2657EC2CA00A86F91FF85B7071506F7E198CB0E7E815A90683C1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Executed Functions

                                      Function 00007FFD9B8A0F88 Relevance: .6, Instructions: 613COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.1879479398.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_7ffd9b8a0000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9874479d9e9213727ec0c2d914eae53810cff2324bed2d7531cc45bd40ea957f
                                      • Instruction ID: 505961aba92daec7e8f9d50492d6c69850e1d211fdeaf4dc32ed16590da5befa
                                      • Opcode Fuzzy Hash: 9874479d9e9213727ec0c2d914eae53810cff2324bed2d7531cc45bd40ea957f
                                      • Instruction Fuzzy Hash: 0D42D670E1962D8FDBA8DF68C8A0BEDB7B1FF58301F5045A9D00DA6295DB346A81CF50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A06E0 Relevance: 6.5, Strings: 5, Instructions: 234COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.1879479398.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_7ffd9b8a0000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: =M_^$?M_I$M_^X$M_^f$M_^g
                                      • API String ID: 0-154525759
                                      • Opcode ID: b1e196f849515ae1567bc84376c46d4c55dd0a976c19860688e85f5b7eee0419
                                      • Instruction ID: b4f277ec39b16375b0843a2804371d81cd309dfa04968ca3c187213c8e902370
                                      • Opcode Fuzzy Hash: b1e196f849515ae1567bc84376c46d4c55dd0a976c19860688e85f5b7eee0419
                                      • Instruction Fuzzy Hash: 32615863B0F68D9BE725579C7C250B87BA0FF45B60B4503FBE05C860E7FD256A028295
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A0F98 Relevance: 1.6, Strings: 1, Instructions: 371COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.1879479398.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_7ffd9b8a0000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: &
                                      • API String ID: 0-2822232526
                                      • Opcode ID: 6c00a53f43127b34dd35e8765bbd1b43b2cd4a36806212c34f788d3030961915
                                      • Instruction ID: 4983cbf62dda90e8071c4c4cdb731367a8cea7475d5981761c8c69e43fbe62c0
                                      • Opcode Fuzzy Hash: 6c00a53f43127b34dd35e8765bbd1b43b2cd4a36806212c34f788d3030961915
                                      • Instruction Fuzzy Hash: 74D14C71E1965D8FDBACEB58D865BA8B7B1FF58300F4441B9D00DE32E2DA386981CB11
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A04F8 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.1879479398.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_7ffd9b8a0000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ?M_^
                                      • API String ID: 0-1086198800
                                      • Opcode ID: 8cabd58927a783d9318d9d5362806b46844f909c691534b2eaf131b259edd57f
                                      • Instruction ID: 3d8521bafb06154367cd6c1cff0b4bd3395916ff398081af40a7354ad919294e
                                      • Opcode Fuzzy Hash: 8cabd58927a783d9318d9d5362806b46844f909c691534b2eaf131b259edd57f
                                      • Instruction Fuzzy Hash: 2E01F531A0A25ECFC756EF6898A15F677A0FF05308F0402BAE05CC70D3EE29A551C795
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A7C89 Relevance: .3, Instructions: 334COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.1879479398.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_7ffd9b8a0000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 64b2748c3faaebd2355ac7b82509b3529eb1ba9a3e74cb6b0d7a1f5f77e9d185
                                      • Instruction ID: 7f8445fe192fc4a497ae92b58d998c540fb014f52dbd4427d072650460dfb425
                                      • Opcode Fuzzy Hash: 64b2748c3faaebd2355ac7b82509b3529eb1ba9a3e74cb6b0d7a1f5f77e9d185
                                      • Instruction Fuzzy Hash: 14C16B74E0E51D8FEBA4DBA88495BBD7BB1FF58300F514179C00DD3296DA386A82DB60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A3239 Relevance: .3, Instructions: 310COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.1879479398.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_7ffd9b8a0000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 74618f5f30745f367a06b66cf4dae37a0e18414e553b3452cd1a49282147d96a
                                      • Instruction ID: 2577d3ba8292d67337c187970afcae245e713283573329d56a3fb02e1da44ceb
                                      • Opcode Fuzzy Hash: 74618f5f30745f367a06b66cf4dae37a0e18414e553b3452cd1a49282147d96a
                                      • Instruction Fuzzy Hash: CBB16E71E19A5D8FDBACEB58D865BA8B7A1FF58300F4441B9D00DE72E2DE346981CB01
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A05D8 Relevance: .3, Instructions: 281COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.1879479398.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_7ffd9b8a0000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b7c5abf4f76687a86eda696a53364dc6fbadaae675ee46a7abb67804af01d426
                                      • Instruction ID: d9638f63021583494f95167e29688675b120fbe4741530340d955a603c15c04d
                                      • Opcode Fuzzy Hash: b7c5abf4f76687a86eda696a53364dc6fbadaae675ee46a7abb67804af01d426
                                      • Instruction Fuzzy Hash: 6981E031B0DA494FDB68EF5C88605A977E2FF99700B15456AE49EC3292DE34E902C781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A6163 Relevance: .2, Instructions: 200COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.1879479398.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_7ffd9b8a0000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a66c9421fbf027694054225b230d3e8988c770d288ebe3aa3a6f8071fe8279ba
                                      • Instruction ID: d2aa470fcd95a9aa68438b6b36b61b9c74919bf9205cdff7c23929cd03bc81a8
                                      • Opcode Fuzzy Hash: a66c9421fbf027694054225b230d3e8988c770d288ebe3aa3a6f8071fe8279ba
                                      • Instruction Fuzzy Hash: F871B570E1491D8FDB94EFA8C8A5BECB7B1FF58300F5041BAD41DE3295DA3469818B41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A129D Relevance: .2, Instructions: 185COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.1879479398.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_7ffd9b8a0000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bfb4ab4c5a99979b05eb96df850b8ad3f099215df7b3039f5c0964e39097c4ed
                                      • Instruction ID: dda21314199da0e545e0db3918eb48de3e6f086afecd7db00e4081cacd75964a
                                      • Opcode Fuzzy Hash: bfb4ab4c5a99979b05eb96df850b8ad3f099215df7b3039f5c0964e39097c4ed
                                      • Instruction Fuzzy Hash: 2451DF30B19A4D4FDB58EF1888645BA77E2FF99304B15417EE45EC7292DE34E902C781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A2CD9 Relevance: .2, Instructions: 166COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.1879479398.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_7ffd9b8a0000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 63faf72c9e9b4d3dff2172500e28b5704a6430bd79ee71b35925214ff569a1c8
                                      • Instruction ID: 8da4a90d2d373aede06948d0bc82d0e4abc054be959d38f673b5ed2c2f14b660
                                      • Opcode Fuzzy Hash: 63faf72c9e9b4d3dff2172500e28b5704a6430bd79ee71b35925214ff569a1c8
                                      • Instruction Fuzzy Hash: 14516071E09A4D8FDBA4EFA8C465AEDB7F1FF59300F01016AE00DE7292CA24A941CB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A238D Relevance: .2, Instructions: 157COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.1879479398.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_7ffd9b8a0000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c74552699146b8cc79536923ce1ced59b75caaefe79d7a93ab254c792f3e4179
                                      • Instruction ID: 018f3c8e84ef9662b0e7a3ea03265fb9cccb702c3d2f60cabf5c13bade3db54b
                                      • Opcode Fuzzy Hash: c74552699146b8cc79536923ce1ced59b75caaefe79d7a93ab254c792f3e4179
                                      • Instruction Fuzzy Hash: 6951E561A0F69D4FE7B1ABA88D647A87BA0EF5A300F0541FBD08CC71E7DD242A85C751
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A1828 Relevance: .1, Instructions: 116COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.1879479398.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_7ffd9b8a0000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fc4183f404f8c82e956583adf87cc4733fde937caa9eb37dab8968f93423a479
                                      • Instruction ID: 81dfd5026df9d0b9b50f8e493e0f7379b3885173aa04c3c51a371722d7c5e403
                                      • Opcode Fuzzy Hash: fc4183f404f8c82e956583adf87cc4733fde937caa9eb37dab8968f93423a479
                                      • Instruction Fuzzy Hash: 09317031E1E61E8AE774BB9484217FCB2A1FF5A300F410279D45E931E5DF396A45CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A1CA9 Relevance: .1, Instructions: 109COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.1879479398.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_7ffd9b8a0000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 024e0db1d792480a48920e95a7e31a52b9e300f0dd9b0252a54799cfff0ccffe
                                      • Instruction ID: e12f58d0f1a4e6fb286672bab4fb2bffd12f8f9e3e3e3361481b3f1388186d16
                                      • Opcode Fuzzy Hash: 024e0db1d792480a48920e95a7e31a52b9e300f0dd9b0252a54799cfff0ccffe
                                      • Instruction Fuzzy Hash: 0F418F71E09A1D8FDB54EBA8D864AECBBF0FF09300F4001BAE009E72A1DB349945CB10
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A5FDD Relevance: .1, Instructions: 105COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.1879479398.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_7ffd9b8a0000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 661fa5016820f7bbd4d0409300b797cd46ad571faea5d3612352ab1d78c59e70
                                      • Instruction ID: b8a21377be2cf282953f61fbb24386d799fffe175b579d55d9d9f5427605789c
                                      • Opcode Fuzzy Hash: 661fa5016820f7bbd4d0409300b797cd46ad571faea5d3612352ab1d78c59e70
                                      • Instruction Fuzzy Hash: 1E415D70E14A4D8FDB94EFA8D865AEDBBB1FF48310F05017AE008E7296DA3469418B91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A64E9 Relevance: .1, Instructions: 105COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.1879479398.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_7ffd9b8a0000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7b8a3e533e69e0f9bb2d312fcb5415184d65d5c1056bf82dbef4a552114cdede
                                      • Instruction ID: f83af0f06a025654ca595039acea9133a3d0b078dfc4303beb57de753d7b447d
                                      • Opcode Fuzzy Hash: 7b8a3e533e69e0f9bb2d312fcb5415184d65d5c1056bf82dbef4a552114cdede
                                      • Instruction Fuzzy Hash: 4E418F70D096498FDB55DFA4C865AED7BB1FF59300F5101BAD009D729ACB389981CB41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A83F5 Relevance: .1, Instructions: 103COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.1879479398.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_7ffd9b8a0000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2dbda7c3d22aafb0b89cdaa980d584d463dd87e507a94adfa890060320eb8608
                                      • Instruction ID: 6aacff26ae82d5170906a19fccf6977238e409c1babc0282d6352d3193d2328b
                                      • Opcode Fuzzy Hash: 2dbda7c3d22aafb0b89cdaa980d584d463dd87e507a94adfa890060320eb8608
                                      • Instruction Fuzzy Hash: 5C315C31E0A61E8FDB58DFA4D4646FDB7B5EF48301F41017AE019A32D5CA386A41CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A5A29 Relevance: .1, Instructions: 102COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.1879479398.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_7ffd9b8a0000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 81a1c2ccc19354170faf9a49033ae8f510d65ad26bf82b420eb5fb7a36984ad7
                                      • Instruction ID: ced803fb44c15a8560c73d90ebfe10dca46f2955bff2b600d53bb915bca1b6be
                                      • Opcode Fuzzy Hash: 81a1c2ccc19354170faf9a49033ae8f510d65ad26bf82b420eb5fb7a36984ad7
                                      • Instruction Fuzzy Hash: 64315A71B08A4D8FDB98EF9CC495AADB7F2FF98305F10056AE41DD7295CB35A8428B40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A5931 Relevance: .1, Instructions: 98COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.1879479398.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_7ffd9b8a0000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 725ca2723633eda223a0a06b963a7910c2c1ef5df58f3a45cd0013c8f76ba16a
                                      • Instruction ID: 373c513b0031ce4d5ec43f6a814cd0aaaaf9583c8d913068633f5367470648d2
                                      • Opcode Fuzzy Hash: 725ca2723633eda223a0a06b963a7910c2c1ef5df58f3a45cd0013c8f76ba16a
                                      • Instruction Fuzzy Hash: 6A31E420A0F6CD5FE7A69B788864AE47FB1EF4A314F0D04EED089DB197C9185985C352
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A2BC9 Relevance: .1, Instructions: 90COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.1879479398.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_7ffd9b8a0000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 720479cb1f31e78b2d8562306755af2393e3b9bc0fce24a8ddda6b6d084864c6
                                      • Instruction ID: 48f79e2a38517254c3e0e83b34e0b76c79e757eba71c57927005a97e3ad56a23
                                      • Opcode Fuzzy Hash: 720479cb1f31e78b2d8562306755af2393e3b9bc0fce24a8ddda6b6d084864c6
                                      • Instruction Fuzzy Hash: 8E312B70D0A64E8FDB59DFA8D9506EDB7B1FF08300F10057AE019E3291DB389950CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A186A Relevance: .1, Instructions: 64COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.1879479398.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_7ffd9b8a0000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9d71267af669dae2b53cea9e9760f857fb7234d67c3c702703733c6505f3ad2e
                                      • Instruction ID: 3eb9ddf89bf31ed275270a7a055c8b6ce69cd92175d3815db1d0d97dabc32b71
                                      • Opcode Fuzzy Hash: 9d71267af669dae2b53cea9e9760f857fb7234d67c3c702703733c6505f3ad2e
                                      • Instruction Fuzzy Hash: B611FC31E1A52D8ED769EB60D4617FCB275FF06301F4110B9D04DA2292DE396E44CB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A08B1 Relevance: .0, Instructions: 40COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.1879479398.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_7ffd9b8a0000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d1ed6ff0d3a65f0fb8ef849b25b75eca3e278f52ef7842308f515fa7f40c4322
                                      • Instruction ID: 2f53701089a274ece57d7bade62c7126096eb236d37863eb7ba30ba61074e367
                                      • Opcode Fuzzy Hash: d1ed6ff0d3a65f0fb8ef849b25b75eca3e278f52ef7842308f515fa7f40c4322
                                      • Instruction Fuzzy Hash: D7F04630A1924E4FD395EB7888A55ECBFB0FF49300F8101FAD00CC70A2DF2826558300
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A1F5D Relevance: .0, Instructions: 39COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.1879479398.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_7ffd9b8a0000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: aa9f283d0c7c3b676c098e879618a3cc14ffd314ab9752d92473649e0bf4fd0f
                                      • Instruction ID: c42a4948039ba447d674077f16ceebb553ef9692bad34885586c74c0e84e83c8
                                      • Opcode Fuzzy Hash: aa9f283d0c7c3b676c098e879618a3cc14ffd314ab9752d92473649e0bf4fd0f
                                      • Instruction Fuzzy Hash: 35F02831A4EA8D4FD755EB6888655EC7FA0FF45200F4501F6D458CB1E3EB386945C341
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A1241 Relevance: .0, Instructions: 37COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.1879479398.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_7ffd9b8a0000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4b10c09ba03b7bf0c3012a945ba833de592abb1c0582a75ac39f0c86476c29a1
                                      • Instruction ID: f223197e4087428c2f3635a0dcedc09ba7c333b087cd94a4200a71155a387619
                                      • Opcode Fuzzy Hash: 4b10c09ba03b7bf0c3012a945ba833de592abb1c0582a75ac39f0c86476c29a1
                                      • Instruction Fuzzy Hash: B9F0B43050D64D8FCB55DF14C4516E57BA0FF56300F0501AAE41CC7192CB79DA64CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A8399 Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.1879479398.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_7ffd9b8a0000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5494d925a2842cded48908386a71f144557c934ed02c39685616b9fb713cc1ad
                                      • Instruction ID: b86191e9ae95e51a6c0a64fc94c6a66c806de541d07f2975c73c3c7c8b0e07ef
                                      • Opcode Fuzzy Hash: 5494d925a2842cded48908386a71f144557c934ed02c39685616b9fb713cc1ad
                                      • Instruction Fuzzy Hash: D4F08C3080E68D8FDB51EBA888682ED7FF0FF19304F4504A7D008D60A2DB346654CB21
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A0528 Relevance: .0, Instructions: 31COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.1879479398.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_7ffd9b8a0000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 07caf1796695130ce877d6414e8bc72c33e5afecfcd7d392709b29f92c1aa112
                                      • Instruction ID: d6900971d0672197baec63f717fb73311d13d4350e1b79349f57f883aea61e8c
                                      • Opcode Fuzzy Hash: 07caf1796695130ce877d6414e8bc72c33e5afecfcd7d392709b29f92c1aa112
                                      • Instruction Fuzzy Hash: 1EF05E3050960E8FDB55EF5494216E577A0FF59304F000176E41CD2195CA35E660C781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A81E0 Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.1879479398.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_7ffd9b8a0000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7947c05737feb902556589f600c8c4fdd55b3f43da46109a951f84e92c06d79a
                                      • Instruction ID: 177d08f533422be18da5ea660d2b8b510f6b0d31ff5337c95e642aaabc41f3ee
                                      • Opcode Fuzzy Hash: 7947c05737feb902556589f600c8c4fdd55b3f43da46109a951f84e92c06d79a
                                      • Instruction Fuzzy Hash: CBE0D871949D4C8BCB649B599C2029577B1FB4D304F41066DE44CC7191D7355E56C321
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A685C Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.1879479398.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_7ffd9b8a0000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ac9ede0e47586a88e492e8f6d9408796d47db806b192e29922c3739a53dc66f2
                                      • Instruction ID: 66179f01e23e7aaa0beb2b0866285ddbc1bedf3224308ce7378dec91a5eb95d8
                                      • Opcode Fuzzy Hash: ac9ede0e47586a88e492e8f6d9408796d47db806b192e29922c3739a53dc66f2
                                      • Instruction Fuzzy Hash: 8FE06832909A0C4BCB509F989C6028873A4FB4C308F010269D44CD7184D3215544C301
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A1F15 Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.1879479398.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_7ffd9b8a0000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 80b385a42bce4c852764c522d375b0a8d5a7fe3dec65120092c17d01a1916925
                                      • Instruction ID: 61fa876d48b7d9e159915463b5e9ebf3a1559aceccce50a2f69ad9474c70305a
                                      • Opcode Fuzzy Hash: 80b385a42bce4c852764c522d375b0a8d5a7fe3dec65120092c17d01a1916925
                                      • Instruction Fuzzy Hash: A0E0223180F2CE4FD7226F6088261E97B60FF06300F0A06BBD05C8A0D3DB2C9628C741
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A1C19 Relevance: .0, Instructions: 28COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.1879479398.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_7ffd9b8a0000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 422a9c0d5ff2148cfd47dc44a07e2f60a8eb3489fbf2058b2d3d0ef83fb33f85
                                      • Instruction ID: e764ec8c1b3b531a343fbad1aa230ff1f693fcaadfd3f80e9af0df34dcaf136a
                                      • Opcode Fuzzy Hash: 422a9c0d5ff2148cfd47dc44a07e2f60a8eb3489fbf2058b2d3d0ef83fb33f85
                                      • Instruction Fuzzy Hash: F1F0E53194F38E4FD7666B6048651D97F70FF06200F0A06B6D058C61E3DB6C9658C352
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A2536 Relevance: .0, Instructions: 27COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.1879479398.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_7ffd9b8a0000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 064cb9202b211bf3084a3912c839aa2e8a2860777c0f3ab7bcdd1ad5d8d3ba03
                                      • Instruction ID: e28aeff7ac8e67a690add1d4f763e87bdab93fa6017498953d990ed0ed941130
                                      • Opcode Fuzzy Hash: 064cb9202b211bf3084a3912c839aa2e8a2860777c0f3ab7bcdd1ad5d8d3ba03
                                      • Instruction Fuzzy Hash: FEF0A271A1495E4FDFA8DF58C894BA9B3B1FB58340F5086E6900DE3255DA30AEC58F40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A0530 Relevance: .0, Instructions: 21COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.1879479398.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_7ffd9b8a0000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4052877536065a422ffdacf6b0f575e94888fbc971f21f8d59286a0c27209402
                                      • Instruction ID: 30e23b61984462143688f0acb97c49aa7f228fe9299e9ff039252866cc2b0332
                                      • Opcode Fuzzy Hash: 4052877536065a422ffdacf6b0f575e94888fbc971f21f8d59286a0c27209402
                                      • Instruction Fuzzy Hash: 3DE04F3450960ECFDBA8EF58C4506A677A1FF59304F100539E41CD2190CB35E6A0CB80
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A0C61 Relevance: .0, Instructions: 19COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.1879479398.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_7ffd9b8a0000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 50c68fb79040a1e800e9a5935efed2556cf16e35283df20941ff010585711470
                                      • Instruction ID: 89b7aca2629d8e1d56370bcfce18b7cdb634244d76e19cd62dae3521c26bda08
                                      • Opcode Fuzzy Hash: 50c68fb79040a1e800e9a5935efed2556cf16e35283df20941ff010585711470
                                      • Instruction Fuzzy Hash: 86E0EC31F1551D4EDB58EB98E8117EDB771FF89311F8005B5D11CE3196DA306A418B41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 00007FFD9B8A06FA Relevance: 7.7, Strings: 6, Instructions: 190COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.1879479398.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_7ffd9b8a0000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: =M_^$?M_I$M_^U$M_^X$M_^f$M_^g
                                      • API String ID: 0-3044347950
                                      • Opcode ID: 4f77393c9139ac736e11187901fcc231d6d6dd5350079ff27cb4951d8f8e20a6
                                      • Instruction ID: 0131e3a94caf0220e34a8ae220d97852959a8a9b56db11ca76dc861bce4287de
                                      • Opcode Fuzzy Hash: 4f77393c9139ac736e11187901fcc231d6d6dd5350079ff27cb4951d8f8e20a6
                                      • Instruction Fuzzy Hash: 12517B53B0F6894BE722579C3C250B8BB91FF46A6075907F7E09C860E7FC16AA028295
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A06A5 Relevance: 6.5, Strings: 5, Instructions: 205COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.1879479398.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_7ffd9b8a0000_dwm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ?M_I$M_^J$M_^K$M_^f$M_^g
                                      • API String ID: 0-1283126691
                                      • Opcode ID: d4ed803195081c76f5b65aed6c4f62ac680eea46aa108309ded23715fa7430b5
                                      • Instruction ID: ed3dacb467e6259db3e102457e2a6bbf744c0f72c73059d6c052dc00d5bf8751
                                      • Opcode Fuzzy Hash: d4ed803195081c76f5b65aed6c4f62ac680eea46aa108309ded23715fa7430b5
                                      • Instruction Fuzzy Hash: B8518A63B0F68D8BE72557AC3C200B87B91FF46B6071507F7D09C860E7FC16A9068295
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Executed Functions

                                      Function 00007FFD9B8A5141 Relevance: 9.4, Strings: 7, Instructions: 623COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.1879428323.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd9b8a5000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: "$"$-$[$]${$}
                                      • API String ID: 0-2220975799
                                      • Opcode ID: 072ce8ba95df218334e03a17509a72431a22a6e19152ac0072b5704173c67e11
                                      • Instruction ID: d5627ce5d65bda374520fe6dbeab873988522beb33161a63b99d2972bbe846b4
                                      • Opcode Fuzzy Hash: 072ce8ba95df218334e03a17509a72431a22a6e19152ac0072b5704173c67e11
                                      • Instruction Fuzzy Hash: 3D42E670E1962D8FDBA8DF68C8A0BEDB7B1FF58301F5041A9D04DA7295DA346A81CF50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A06E0 Relevance: 6.5, Strings: 5, Instructions: 234COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.1879428323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd9b8a0000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: =M_^$?M_I$M_^X$M_^f$M_^g
                                      • API String ID: 0-154525759
                                      • Opcode ID: 1580044a13390ab2691a87b035bf9a74c006a9032609066c139997ecf5161236
                                      • Instruction ID: acc9f654a5db64cf32b1833b9c6e39c2a3aff40c8424fcd086d0aeeeaaddd8ae
                                      • Opcode Fuzzy Hash: 1580044a13390ab2691a87b035bf9a74c006a9032609066c139997ecf5161236
                                      • Instruction Fuzzy Hash: 16615863B0F68D9BE725579C7C250B87BA0FF45B60B4503F7E09C860E7FD256A028295
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A04F8 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.1879428323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd9b8a0000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ?M_^
                                      • API String ID: 0-1086198800
                                      • Opcode ID: ed94b66d069c29ce1fcfa9143b9bf8233c5ce2ef5c204b7049bd0855be72eb11
                                      • Instruction ID: 3d8521bafb06154367cd6c1cff0b4bd3395916ff398081af40a7354ad919294e
                                      • Opcode Fuzzy Hash: ed94b66d069c29ce1fcfa9143b9bf8233c5ce2ef5c204b7049bd0855be72eb11
                                      • Instruction Fuzzy Hash: 2E01F531A0A25ECFC756EF6898A15F677A0FF05308F0402BAE05CC70D3EE29A551C795
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A0F8D Relevance: .4, Instructions: 376COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.1879428323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd9b8a0000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5d3f0b67193d23b1530145afd0bbbe4745c78847c617bd1803f2a87a11b3ada2
                                      • Instruction ID: c4eee4dfb26f822c80f2799e5fb765654599f6d40afb2291563f292b4d95e10b
                                      • Opcode Fuzzy Hash: 5d3f0b67193d23b1530145afd0bbbe4745c78847c617bd1803f2a87a11b3ada2
                                      • Instruction Fuzzy Hash: F9D14C71E1965D8FDBACEB58D865BA8B7B1FF58300F4441B9D00DE32A2DE386981CB11
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A7C89 Relevance: .3, Instructions: 334COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.1879428323.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd9b8a5000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ea2a198808ed617420809e9e141d092ca781d245974c9c4d66a35e0d30f7b79e
                                      • Instruction ID: 7380226d7789bdbeb4923222bfba3aded1bed9d8cbe6c9f979dd888f774889c1
                                      • Opcode Fuzzy Hash: ea2a198808ed617420809e9e141d092ca781d245974c9c4d66a35e0d30f7b79e
                                      • Instruction Fuzzy Hash: 81C17B74E0A51ECFEBA4DBA884957BD7BB1FF58300F514179C00DD3296DA386A82DB60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A3239 Relevance: .3, Instructions: 310COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.1879428323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd9b8a0000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dd2aac89dca33480d49aa3cb74aa8d5b4399bfb18c88cfd480d78cf4fb88c195
                                      • Instruction ID: 2577d3ba8292d67337c187970afcae245e713283573329d56a3fb02e1da44ceb
                                      • Opcode Fuzzy Hash: dd2aac89dca33480d49aa3cb74aa8d5b4399bfb18c88cfd480d78cf4fb88c195
                                      • Instruction Fuzzy Hash: CBB16E71E19A5D8FDBACEB58D865BA8B7A1FF58300F4441B9D00DE72E2DE346981CB01
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A05D8 Relevance: .3, Instructions: 281COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.1879428323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd9b8a0000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 65de27709f97cdb6d2bc1a6cc3ce09268b35de42fdde4e21bad9b32655ddfb8b
                                      • Instruction ID: d9638f63021583494f95167e29688675b120fbe4741530340d955a603c15c04d
                                      • Opcode Fuzzy Hash: 65de27709f97cdb6d2bc1a6cc3ce09268b35de42fdde4e21bad9b32655ddfb8b
                                      • Instruction Fuzzy Hash: 6981E031B0DA494FDB68EF5C88605A977E2FF99700B15456AE49EC3292DE34E902C781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A6163 Relevance: .2, Instructions: 200COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.1879428323.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd9b8a5000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8817f7ce243a88c1c0c4487570e5dde4286bf1e3fd0cb01ca01ec91f0afd9523
                                      • Instruction ID: 1682fa0f6d6ac09a86190c13293dfedaa37c74e0f1458719545272e581ca444d
                                      • Opcode Fuzzy Hash: 8817f7ce243a88c1c0c4487570e5dde4286bf1e3fd0cb01ca01ec91f0afd9523
                                      • Instruction Fuzzy Hash: BE71B570E1491D8FDB94EFA8C8A5BECB7B1FF58300F5041BAD41DE3295DA3469818B41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A129D Relevance: .2, Instructions: 185COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.1879428323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd9b8a0000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: be6936be933c18ebbc97c8d7827ffbe8dc2ff9ed2dd9fef1275ce3e89cd5c73f
                                      • Instruction ID: dda21314199da0e545e0db3918eb48de3e6f086afecd7db00e4081cacd75964a
                                      • Opcode Fuzzy Hash: be6936be933c18ebbc97c8d7827ffbe8dc2ff9ed2dd9fef1275ce3e89cd5c73f
                                      • Instruction Fuzzy Hash: 2451DF30B19A4D4FDB58EF1888645BA77E2FF99304B15417EE45EC7292DE34E902C781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A2CD9 Relevance: .2, Instructions: 167COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.1879428323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd9b8a0000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3a6566c094f80b9352213ed58de54f3f3a084757c470d4643fb8e689d41cf406
                                      • Instruction ID: 55b8106ca91a02037857c674765e3698e297d3b487388b95cea0dd0541718278
                                      • Opcode Fuzzy Hash: 3a6566c094f80b9352213ed58de54f3f3a084757c470d4643fb8e689d41cf406
                                      • Instruction Fuzzy Hash: 97516071E09A4D8FDBA4EFA8C465AEDB7F1FF59300F01016AE00DE7292CA24A941CB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A238D Relevance: .2, Instructions: 157COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.1879428323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd9b8a0000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 42d1703be140158491e3726d4217c60ea9dc3d16b55a3c10c4efca84b1df5dcf
                                      • Instruction ID: 4d1cabfcefc50e555cab442fdbebdb2da2dc76aa72bd1acb98c25e30f0c26017
                                      • Opcode Fuzzy Hash: 42d1703be140158491e3726d4217c60ea9dc3d16b55a3c10c4efca84b1df5dcf
                                      • Instruction Fuzzy Hash: 5D51E561A0F69D4FE7B1ABA88D647A87BA0EF5A300F0541F7D08CC71E7DD242A85C751
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A1828 Relevance: .1, Instructions: 116COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.1879428323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd9b8a0000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 31a5c02048c366006308ce5201f6318245990a00721957686cfe32df16c66715
                                      • Instruction ID: 81dfd5026df9d0b9b50f8e493e0f7379b3885173aa04c3c51a371722d7c5e403
                                      • Opcode Fuzzy Hash: 31a5c02048c366006308ce5201f6318245990a00721957686cfe32df16c66715
                                      • Instruction Fuzzy Hash: 09317031E1E61E8AE774BB9484217FCB2A1FF5A300F410279D45E931E5DF396A45CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A1CA9 Relevance: .1, Instructions: 109COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.1879428323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd9b8a0000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 16ac99182a2c60da83a0e35f23693e4a878f2b50d3f7d15a90b74048860c6cbc
                                      • Instruction ID: 62fd2a73dcfd496f7d31a182618001cdc0e3460cbe66f0fd93a0f012ebbf0ad1
                                      • Opcode Fuzzy Hash: 16ac99182a2c60da83a0e35f23693e4a878f2b50d3f7d15a90b74048860c6cbc
                                      • Instruction Fuzzy Hash: 74418F71E09A1D8FDB94EB98D864AECBBF0FF09301F4000BAE009E72A1DB349945CB10
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A64E9 Relevance: .1, Instructions: 105COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.1879428323.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd9b8a5000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 661809f219b47197e7e236f6cf31d870c76108d3f4e12b545349d86c3055078f
                                      • Instruction ID: 94f139b856508eacff4e35705650a3ba64913bd810fde64eef7c98783c30c3ff
                                      • Opcode Fuzzy Hash: 661809f219b47197e7e236f6cf31d870c76108d3f4e12b545349d86c3055078f
                                      • Instruction Fuzzy Hash: F7418D70E0964D8FEB55DFA4C865AEDBBB1FF59300F5101BAD009D729ACB389982CB41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A5FDD Relevance: .1, Instructions: 105COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.1879428323.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd9b8a5000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ec4c392e4d9d9938f50f4d78559b38f74b0372694eb024178b1b4563cb7d3b38
                                      • Instruction ID: 34d6dc5b4c5de746fa6a9c43a5f9acd5f3eeef2603ac90961c2636089927347f
                                      • Opcode Fuzzy Hash: ec4c392e4d9d9938f50f4d78559b38f74b0372694eb024178b1b4563cb7d3b38
                                      • Instruction Fuzzy Hash: DE415B70E14A4D8FDB94EFA8D865AEDBBB1FF48310F05017AE008E7296DA346941CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A83F5 Relevance: .1, Instructions: 103COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.1879428323.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd9b8a5000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e20a7ab53f353461d56e6a06aab4b8d02d0f9b298b61e77434b9dde79042c787
                                      • Instruction ID: dfb0bfea22d49b2d5650c874a0219ae0f43c99b96c56af3b48b91e2a0203bc0c
                                      • Opcode Fuzzy Hash: e20a7ab53f353461d56e6a06aab4b8d02d0f9b298b61e77434b9dde79042c787
                                      • Instruction Fuzzy Hash: 88315C31E0A61E8FDB58DFA4D4646FDB7B5EF48301F41017AE019A32D5CA385A41CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A5A29 Relevance: .1, Instructions: 102COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.1879428323.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd9b8a5000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8c659c54754f9178c13c4d9244eb8013e4602db360365fd9f28d11d9725f6314
                                      • Instruction ID: 779585995792a5a6a6e3b0ab1dd31c50951de8bf16114d9e8a392ce29b846161
                                      • Opcode Fuzzy Hash: 8c659c54754f9178c13c4d9244eb8013e4602db360365fd9f28d11d9725f6314
                                      • Instruction Fuzzy Hash: F9317A71B08A0D8FDB98EF9CC495AACB7F2FF98300F10056AE01DD3295DB35A8428B40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A5931 Relevance: .1, Instructions: 98COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.1879428323.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd9b8a5000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7f87b691cee11485db14855bb66e4f67e99da001021d64d44a015db0773a2448
                                      • Instruction ID: 79c22e686ce8c1911d0d4716d479b5195a54eb43251a607347295cbcd9fde5fa
                                      • Opcode Fuzzy Hash: 7f87b691cee11485db14855bb66e4f67e99da001021d64d44a015db0773a2448
                                      • Instruction Fuzzy Hash: 9231E420A0F6CE5FE7A69B788864AE47FB1EF4A314F0D04EED089DB197C9189945C352
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A2BC9 Relevance: .1, Instructions: 91COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.1879428323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd9b8a0000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f7f462b48c2fa4219576813cfe6dad9678d3c2dc2fa14798934b0fca7ec191f4
                                      • Instruction ID: c00ab8dacdd34e5df0ad74eeaad5de679bd2179a6400084a9d7ab56429e9c680
                                      • Opcode Fuzzy Hash: f7f462b48c2fa4219576813cfe6dad9678d3c2dc2fa14798934b0fca7ec191f4
                                      • Instruction Fuzzy Hash: 7F312B70E0A64E8FDB59DFA8D9506EDB7B1FF48300F10057AE019E3291DB389951CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A186A Relevance: .1, Instructions: 64COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.1879428323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd9b8a0000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0eea6d1da4db9aa53906637d4c67b336d9bcbcc22c6eab99db78b12d413c6da9
                                      • Instruction ID: 3eb9ddf89bf31ed275270a7a055c8b6ce69cd92175d3815db1d0d97dabc32b71
                                      • Opcode Fuzzy Hash: 0eea6d1da4db9aa53906637d4c67b336d9bcbcc22c6eab99db78b12d413c6da9
                                      • Instruction Fuzzy Hash: B611FC31E1A52D8ED769EB60D4617FCB275FF06301F4110B9D04DA2292DE396E44CB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A08B1 Relevance: .0, Instructions: 40COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.1879428323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd9b8a0000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 91bcccf9008c02e703aca687d1d63a64e6df3a81bbbed593ae7ce47a2996f322
                                      • Instruction ID: d52c35d6ad2e061e4254ff7f615e6f3be36596789a052cf9897328d333982b7d
                                      • Opcode Fuzzy Hash: 91bcccf9008c02e703aca687d1d63a64e6df3a81bbbed593ae7ce47a2996f322
                                      • Instruction Fuzzy Hash: 78F02230A1964E4FD394EB6488A55E8BFB0FF49300F8101EAD00CC30A2DF2826558300
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A1F5D Relevance: .0, Instructions: 39COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.1879428323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd9b8a0000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 393dc059a9a7c0e39a0141a3f7d4c1710e28a60f5dd2e5644f1a143a9e6737f2
                                      • Instruction ID: f603f02ab288320bb7a486a76630ca128ba594703358c6bafdd178a64084f9fd
                                      • Opcode Fuzzy Hash: 393dc059a9a7c0e39a0141a3f7d4c1710e28a60f5dd2e5644f1a143a9e6737f2
                                      • Instruction Fuzzy Hash: C0F02232A4EA8D5FD715EB6888656ECBFA0FF49200F4501F6D458CB1E7EB38A946C341
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A1241 Relevance: .0, Instructions: 37COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.1879428323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd9b8a0000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4b10c09ba03b7bf0c3012a945ba833de592abb1c0582a75ac39f0c86476c29a1
                                      • Instruction ID: f223197e4087428c2f3635a0dcedc09ba7c333b087cd94a4200a71155a387619
                                      • Opcode Fuzzy Hash: 4b10c09ba03b7bf0c3012a945ba833de592abb1c0582a75ac39f0c86476c29a1
                                      • Instruction Fuzzy Hash: B9F0B43050D64D8FCB55DF14C4516E57BA0FF56300F0501AAE41CC7192CB79DA64CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A8399 Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.1879428323.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd9b8a5000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 26f04155982989f8600ce0ac4d0f90bd18d31f4cec8ee2375f310dbef9501f5a
                                      • Instruction ID: b86191e9ae95e51a6c0a64fc94c6a66c806de541d07f2975c73c3c7c8b0e07ef
                                      • Opcode Fuzzy Hash: 26f04155982989f8600ce0ac4d0f90bd18d31f4cec8ee2375f310dbef9501f5a
                                      • Instruction Fuzzy Hash: D4F08C3080E68D8FDB51EBA888682ED7FF0FF19304F4504A7D008D60A2DB346654CB21
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A0528 Relevance: .0, Instructions: 31COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.1879428323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd9b8a0000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0611d6cc732bddabb11b29671c4610bada4175630f9603a274eb87f472650ad7
                                      • Instruction ID: d6900971d0672197baec63f717fb73311d13d4350e1b79349f57f883aea61e8c
                                      • Opcode Fuzzy Hash: 0611d6cc732bddabb11b29671c4610bada4175630f9603a274eb87f472650ad7
                                      • Instruction Fuzzy Hash: 1EF05E3050960E8FDB55EF5494216E577A0FF59304F000176E41CD2195CA35E660C781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A81E0 Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.1879428323.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd9b8a5000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7947c05737feb902556589f600c8c4fdd55b3f43da46109a951f84e92c06d79a
                                      • Instruction ID: 177d08f533422be18da5ea660d2b8b510f6b0d31ff5337c95e642aaabc41f3ee
                                      • Opcode Fuzzy Hash: 7947c05737feb902556589f600c8c4fdd55b3f43da46109a951f84e92c06d79a
                                      • Instruction Fuzzy Hash: CBE0D871949D4C8BCB649B599C2029577B1FB4D304F41066DE44CC7191D7355E56C321
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A685C Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.1879428323.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd9b8a5000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ac9ede0e47586a88e492e8f6d9408796d47db806b192e29922c3739a53dc66f2
                                      • Instruction ID: 66179f01e23e7aaa0beb2b0866285ddbc1bedf3224308ce7378dec91a5eb95d8
                                      • Opcode Fuzzy Hash: ac9ede0e47586a88e492e8f6d9408796d47db806b192e29922c3739a53dc66f2
                                      • Instruction Fuzzy Hash: 8FE06832909A0C4BCB509F989C6028873A4FB4C308F010269D44CD7184D3215544C301
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A1F15 Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.1879428323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd9b8a0000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 80b385a42bce4c852764c522d375b0a8d5a7fe3dec65120092c17d01a1916925
                                      • Instruction ID: 61fa876d48b7d9e159915463b5e9ebf3a1559aceccce50a2f69ad9474c70305a
                                      • Opcode Fuzzy Hash: 80b385a42bce4c852764c522d375b0a8d5a7fe3dec65120092c17d01a1916925
                                      • Instruction Fuzzy Hash: A0E0223180F2CE4FD7226F6088261E97B60FF06300F0A06BBD05C8A0D3DB2C9628C741
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A1C19 Relevance: .0, Instructions: 28COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.1879428323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd9b8a0000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 422a9c0d5ff2148cfd47dc44a07e2f60a8eb3489fbf2058b2d3d0ef83fb33f85
                                      • Instruction ID: e764ec8c1b3b531a343fbad1aa230ff1f693fcaadfd3f80e9af0df34dcaf136a
                                      • Opcode Fuzzy Hash: 422a9c0d5ff2148cfd47dc44a07e2f60a8eb3489fbf2058b2d3d0ef83fb33f85
                                      • Instruction Fuzzy Hash: F1F0E53194F38E4FD7666B6048651D97F70FF06200F0A06B6D058C61E3DB6C9658C352
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A2536 Relevance: .0, Instructions: 27COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.1879428323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd9b8a0000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1b64ae8d1012a7b3020bd47a350ec761b1b1d8ef8216bea303de1f9251cd1e3d
                                      • Instruction ID: 14917c8d1c3d80991d78eb1476cc699ab3badefeb411ec6e2c8d3587f27c81bd
                                      • Opcode Fuzzy Hash: 1b64ae8d1012a7b3020bd47a350ec761b1b1d8ef8216bea303de1f9251cd1e3d
                                      • Instruction Fuzzy Hash: 05F09E71A1495E4EDFA8DF58C894BA9B3B1FB58340F5086E6900DE3255DA30AE858F40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A0530 Relevance: .0, Instructions: 21COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.1879428323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd9b8a0000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4052877536065a422ffdacf6b0f575e94888fbc971f21f8d59286a0c27209402
                                      • Instruction ID: 30e23b61984462143688f0acb97c49aa7f228fe9299e9ff039252866cc2b0332
                                      • Opcode Fuzzy Hash: 4052877536065a422ffdacf6b0f575e94888fbc971f21f8d59286a0c27209402
                                      • Instruction Fuzzy Hash: 3DE04F3450960ECFDBA8EF58C4506A677A1FF59304F100539E41CD2190CB35E6A0CB80
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A0C61 Relevance: .0, Instructions: 19COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.1879428323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd9b8a0000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8d19352a294f93111a705f85640827ec413c0fe498554c5e1d6db814a7a36791
                                      • Instruction ID: 2083f6a751ed4526dc40483602d7c820b7bdcee9a84356d7edaeb4f0a4431bfd
                                      • Opcode Fuzzy Hash: 8d19352a294f93111a705f85640827ec413c0fe498554c5e1d6db814a7a36791
                                      • Instruction Fuzzy Hash: BCE0E231F1592D8EDB58EB98E8217EDB771FF89311F8005B2D15CE319ADA306A428B81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 00007FFD9B8A06FA Relevance: 7.7, Strings: 6, Instructions: 190COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.1879428323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd9b8a0000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: =M_^$?M_I$M_^U$M_^X$M_^f$M_^g
                                      • API String ID: 0-3044347950
                                      • Opcode ID: 66fdb44b677144909655499dbc431b2ce1e0a586a1def1fae2886c7bf05c744d
                                      • Instruction ID: 0131e3a94caf0220e34a8ae220d97852959a8a9b56db11ca76dc861bce4287de
                                      • Opcode Fuzzy Hash: 66fdb44b677144909655499dbc431b2ce1e0a586a1def1fae2886c7bf05c744d
                                      • Instruction Fuzzy Hash: 12517B53B0F6894BE722579C3C250B8BB91FF46A6075907F7E09C860E7FC16AA028295
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A06A5 Relevance: 6.5, Strings: 5, Instructions: 205COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.1879428323.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd9b8a0000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ?M_I$M_^J$M_^K$M_^f$M_^g
                                      • API String ID: 0-1283126691
                                      • Opcode ID: 1b6c81797b0860d747f6da035ae7634e1ef66cf5333b87bb5f4f6334451e86ed
                                      • Instruction ID: ed3dacb467e6259db3e102457e2a6bbf744c0f72c73059d6c052dc00d5bf8751
                                      • Opcode Fuzzy Hash: 1b6c81797b0860d747f6da035ae7634e1ef66cf5333b87bb5f4f6334451e86ed
                                      • Instruction Fuzzy Hash: B8518A63B0F68D8BE72557AC3C200B87B91FF46B6071507F7D09C860E7FC16A9068295
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Executed Functions

                                      Function 00007FFD9B875141 Relevance: 9.4, Strings: 7, Instructions: 624COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.1881271225.00007FFD9B875000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B875000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9b875000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: "$"$-$[$]${$}
                                      • API String ID: 0-2220975799
                                      • Opcode ID: a28c571ee4d9f370c1c07fdd566218ad499bbd5517aecf42604579e076b24bdc
                                      • Instruction ID: 4dfcc161568219e0d03bc7b28caed218fbb761077fbd3663c46fa951d4bb7a42
                                      • Opcode Fuzzy Hash: a28c571ee4d9f370c1c07fdd566218ad499bbd5517aecf42604579e076b24bdc
                                      • Instruction Fuzzy Hash: B542F670E1962D8FDBA8DF68C8A0BEDB7B1FF58305F1041A9D04DA7295DA346A81DF40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8704F8 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.1881271225.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9b870000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ?P_^
                                      • API String ID: 0-1413489715
                                      • Opcode ID: 811964cd5fe06c07300a6fa958c91c62da992bbc7b24ae92d013082abfe8cd90
                                      • Instruction ID: c159520f6c310e23802a3a10d625c1bd24ba9ef1b9c9db842fb9b1e7f6efdf3c
                                      • Opcode Fuzzy Hash: 811964cd5fe06c07300a6fa958c91c62da992bbc7b24ae92d013082abfe8cd90
                                      • Instruction Fuzzy Hash: 7601D271A0E25E8FD755EF6898A16E63BA0EF05318F0401BAE05CC7093DA28A551D781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B870F8D Relevance: .4, Instructions: 376COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.1881271225.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9b870000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e5fbbd03deb558eaf79cd118fa9cc42a933c0f6e09cbd72efb5e7c6462e0761d
                                      • Instruction ID: 5bb3d01d5660c3c7cea9f6a7da07eb735f1f696c64822aad3707c4d75af01c6f
                                      • Opcode Fuzzy Hash: e5fbbd03deb558eaf79cd118fa9cc42a933c0f6e09cbd72efb5e7c6462e0761d
                                      • Instruction Fuzzy Hash: 8CD16C71E1965D8FDB6CDB98D8A4BA8B7B1FF58304F0401B9D00DE32E2DA346A81DB01
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B877C89 Relevance: .3, Instructions: 334COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.1881271225.00007FFD9B875000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B875000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9b875000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 76b7f5b4f63af8ca0746cbca827bcd8f535ffc6e96dc678f6ddd70abe4ca3e47
                                      • Instruction ID: 681220391e7ede6f78a47d58dadff910f45587203bd9c05008a3902422848a79
                                      • Opcode Fuzzy Hash: 76b7f5b4f63af8ca0746cbca827bcd8f535ffc6e96dc678f6ddd70abe4ca3e47
                                      • Instruction Fuzzy Hash: 61C17A31A1E51D8FDBA4DBA884E5BBC77E1FF59305F514179C00DD32A2CA386982DB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B873239 Relevance: .3, Instructions: 310COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.1881271225.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9b870000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cf7c21be9c14956bc64bc0cef1ec71aa2dc8451e16a3ebefd3b8949db1d44de0
                                      • Instruction ID: 52315542401e9c7410f4676d54757aed43817e607cb90b08bb7473a82216d70d
                                      • Opcode Fuzzy Hash: cf7c21be9c14956bc64bc0cef1ec71aa2dc8451e16a3ebefd3b8949db1d44de0
                                      • Instruction Fuzzy Hash: F6B17271E1965E8FDBACDB58C8A4BA8B7A1FF58304F0401B9D00DD72E2DE346A81CB01
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8705D8 Relevance: .3, Instructions: 281COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.1881271225.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9b870000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 598399e8af5e5c9f7a5c3d00bbc04a73d822632fdf78f1252ed406f252342859
                                      • Instruction ID: 74e01b867b3edf7017b93428d4cd16675a737ef0b619b7e0aa33d285544a88d9
                                      • Opcode Fuzzy Hash: 598399e8af5e5c9f7a5c3d00bbc04a73d822632fdf78f1252ed406f252342859
                                      • Instruction Fuzzy Hash: CA81D231B1DA494FDF68EF5888A05B977E2FF98704B15057EE45EC32A2DE34A9028781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B876163 Relevance: .2, Instructions: 200COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.1881271225.00007FFD9B875000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B875000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9b875000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 18478db9b5751b20e8a6f229cfdeeac2272df690bdec87e00ddeae449337e7be
                                      • Instruction ID: 5e35f227d1192b07aa0bf9aee0b39da998e6c83644ec2a13fd4bb8aaf6e1a911
                                      • Opcode Fuzzy Hash: 18478db9b5751b20e8a6f229cfdeeac2272df690bdec87e00ddeae449337e7be
                                      • Instruction Fuzzy Hash: 7F71B570E1491D8FEB94EFA8C895BECB7B1FF58304F5041BAD41DE3296DA3469818B41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B87129D Relevance: .2, Instructions: 185COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.1881271225.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9b870000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5f58f89655c6eebf45e61d11203fe55db73e8a00a44a3d167d4c4f82c3b19616
                                      • Instruction ID: 3a3807ea80787f7450553ee3f1a009baf6c35f29106f1b3a25bf260862409bd4
                                      • Opcode Fuzzy Hash: 5f58f89655c6eebf45e61d11203fe55db73e8a00a44a3d167d4c4f82c3b19616
                                      • Instruction Fuzzy Hash: 7851D130B18A4D4FDB5CDF1888A45B977E2FF98308B15417EE45EC3292DE34E9028781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B872CD9 Relevance: .2, Instructions: 167COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.1881271225.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9b870000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7e51685fad25e9cfb4726c950f7ae08e29eb9223c3c374f791db453f183f3378
                                      • Instruction ID: 78a1adc1e850ce577a5241b6de84c6978c6aba64ea39cea1b605e6fb285551e2
                                      • Opcode Fuzzy Hash: 7e51685fad25e9cfb4726c950f7ae08e29eb9223c3c374f791db453f183f3378
                                      • Instruction Fuzzy Hash: 82515171A0995D8FDB95EF98C495AECBBF1FF5A304F41016AD00DE7292CA34A941DB40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8706F0 Relevance: .2, Instructions: 162COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.1881271225.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9b870000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 97f48425789e3d1801fb65c41dadfcd91738a790441b741d35ce7f0861981c1e
                                      • Instruction ID: cc6e51add125ad760cc65800bcb2cf99ea8de270fab4490ee7f1ddd6f32d8a0d
                                      • Opcode Fuzzy Hash: 97f48425789e3d1801fb65c41dadfcd91738a790441b741d35ce7f0861981c1e
                                      • Instruction Fuzzy Hash: 8841BF30B18A4D8BDB5CEF5888A45BA73E2FFD8309B14457EE45ED3295DE34E8028781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B871828 Relevance: .1, Instructions: 116COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.1881271225.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9b870000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6c792bdbc05c93ee5e09a771fd4cc327cbf8fb03903c713a69f88da937bc2a65
                                      • Instruction ID: c449c215e9f7549fa0af1c570803e1332de9a404e91115084bf5647da064fb16
                                      • Opcode Fuzzy Hash: 6c792bdbc05c93ee5e09a771fd4cc327cbf8fb03903c713a69f88da937bc2a65
                                      • Instruction Fuzzy Hash: 0A319530E1E61E8AEB74BB5084A17F8B2A1FF4A304F4102B9D45D935E5CF396A45E780
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B871CA9 Relevance: .1, Instructions: 109COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.1881271225.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9b870000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c7d5f1fa12625bbbe49c52ea2a9a40153d75044bf0b71bd96be6f7c66d07f25d
                                      • Instruction ID: 422642abafcac4627f75ecfbcbcde33b76a1cb5190f5feb85464675ace769652
                                      • Opcode Fuzzy Hash: c7d5f1fa12625bbbe49c52ea2a9a40153d75044bf0b71bd96be6f7c66d07f25d
                                      • Instruction Fuzzy Hash: 6B415E71E19A1D8FDB54EB98D8A4AECBBF1FF58304F4505AAD009E72A1DB34A945CB00
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B875FDD Relevance: .1, Instructions: 105COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.1881271225.00007FFD9B875000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B875000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9b875000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7087eb77f7e5efa77c33d780788a01b4e5f7d9733c4635507854089fc5b84379
                                      • Instruction ID: 9f1c2f177a71ec814a8bcfb622492e6d75baf0da17560a0c71ea1db654e12a1b
                                      • Opcode Fuzzy Hash: 7087eb77f7e5efa77c33d780788a01b4e5f7d9733c4635507854089fc5b84379
                                      • Instruction Fuzzy Hash: 8E415E70E1464D8FDB54EF98D8A5AEDBBB1FF48310F05017AE008E7296DA346941CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8764E9 Relevance: .1, Instructions: 105COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.1881271225.00007FFD9B875000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B875000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9b875000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 88c4273abc443d041fa29ed216ebb5fbd829b069f99af2e4dd7cf4ff451cb27a
                                      • Instruction ID: c8a038d2ce6dca8ef0540155d618347bbc8c64ab3f227ff0e2ab23a2809c8a5d
                                      • Opcode Fuzzy Hash: 88c4273abc443d041fa29ed216ebb5fbd829b069f99af2e4dd7cf4ff451cb27a
                                      • Instruction Fuzzy Hash: 41418D70D096498FEB55DFA4C8A5AEDBBB1FF4A304F5101BAD009D7296CB389981CF41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8783F5 Relevance: .1, Instructions: 103COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.1881271225.00007FFD9B875000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B875000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9b875000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e78a5e7846868a781ca52c0cede2c714ce4fd533c89b00dfe5dba2853a9d2ddc
                                      • Instruction ID: f5a6d8dbde0c93cfd7f12f65fb4bb6f1c1268012b8e8fb4476cc45845ce81003
                                      • Opcode Fuzzy Hash: e78a5e7846868a781ca52c0cede2c714ce4fd533c89b00dfe5dba2853a9d2ddc
                                      • Instruction Fuzzy Hash: 3B317C31E0961E8FDB68DFA4D4A4AFDB7B0EF48304F11017AE019E32D1CA786A41DB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B875A29 Relevance: .1, Instructions: 101COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.1881271225.00007FFD9B875000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B875000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9b875000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 611c1aa5dc030c932a8a34a24a477f74bda276d29dadc59c3a776ab73daaea2d
                                      • Instruction ID: 33a3564f213d196be960b466b2845cb1211f086b27cb4fc6a11ea28de31a45dd
                                      • Opcode Fuzzy Hash: 611c1aa5dc030c932a8a34a24a477f74bda276d29dadc59c3a776ab73daaea2d
                                      • Instruction Fuzzy Hash: 5D313A71A08A4D8FDB94EF9CC495AADB7F2FF98305F10057AE01DD7295CB35A8428B40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B875931 Relevance: .1, Instructions: 97COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.1881271225.00007FFD9B875000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B875000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9b875000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c1fe19a5ed3ffeb41bd78c2bc54ca15ea6696e360552df73898b254e2806dc9f
                                      • Instruction ID: 86bfe0114d6dffb8de749bc1e8ce654a6a7f02958c359388f8add0be35250cc5
                                      • Opcode Fuzzy Hash: c1fe19a5ed3ffeb41bd78c2bc54ca15ea6696e360552df73898b254e2806dc9f
                                      • Instruction Fuzzy Hash: 2331022060F6CD5FE7A29B748869AE4BFA1EF4B214F0D04EED089DB197C8196945D312
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B872BDC Relevance: .1, Instructions: 83COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.1881271225.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9b870000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4dc131a4ad3766f0a1e4e82f019b8d26ae61b72f9784682b9300d277cca27038
                                      • Instruction ID: 46c58ee05d4e8fd2c8359102f3a2ff8e8d4f33affe4fcc3a20ac02ec5c34a901
                                      • Opcode Fuzzy Hash: 4dc131a4ad3766f0a1e4e82f019b8d26ae61b72f9784682b9300d277cca27038
                                      • Instruction Fuzzy Hash: 47211470E0A64E8FDB58DFA8D8946EDB7B1FF58304F10047AE019E3295DB34AA50CB80
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B87242C Relevance: .1, Instructions: 79COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.1881271225.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9b870000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c1aa8256a1000d42022445461e7451488693fe9993a1b071f6e766075b49df24
                                      • Instruction ID: 81fd89b2232a1841fd85d8276e663eec853e76fbf397f582cb4128eb9d96f4dc
                                      • Opcode Fuzzy Hash: c1aa8256a1000d42022445461e7451488693fe9993a1b071f6e766075b49df24
                                      • Instruction Fuzzy Hash: 0B313E71E1AA1D8EEBE4EB6888957A972B1FF49304F4041F6D00CD32A5DE342AC4CB01
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B87186A Relevance: .1, Instructions: 64COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.1881271225.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9b870000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: efa50033da3f2bd539911d43cc1e5376f001a1a581c1e28c609bf510e18d65b6
                                      • Instruction ID: 160d5842d91aacfa0be0899220ff9754bcec1445aa0a170f133df66d8f44d500
                                      • Opcode Fuzzy Hash: efa50033da3f2bd539911d43cc1e5376f001a1a581c1e28c609bf510e18d65b6
                                      • Instruction Fuzzy Hash: 9311FC31E1A52D8EDB69EF60D4A17FCB271EF06305F4110B9D04DA32A2CE356E45EB40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8708B1 Relevance: .0, Instructions: 42COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.1881271225.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9b870000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 262a80d69325ae84a2a91bfeb25a1e52be811acd7b7438a6137ac9b0624ec911
                                      • Instruction ID: dc1b137e506a354eef36256e391dd606479c224b7d0c2e3257815a016f3756b5
                                      • Opcode Fuzzy Hash: 262a80d69325ae84a2a91bfeb25a1e52be811acd7b7438a6137ac9b0624ec911
                                      • Instruction Fuzzy Hash: FEF0F431A1964D9FD794DB68C8955EC7FB0EF48344F4101FAD408C70A2DE3426458741
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B871241 Relevance: .0, Instructions: 37COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.1881271225.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9b870000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8fcd5a39797002345f2f36c4a47cb47b1043d0137696a15eefdcac40273eaa43
                                      • Instruction ID: 644fde51e71fa873b79e1e64fc9d56919c34e007da30e4b170a4df874bbaa640
                                      • Opcode Fuzzy Hash: 8fcd5a39797002345f2f36c4a47cb47b1043d0137696a15eefdcac40273eaa43
                                      • Instruction Fuzzy Hash: CAF0903050D64D8FCB95EF14C8912A57BB0FF55304F1501AAD41CC7592CB7ADA64CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B878399 Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.1881271225.00007FFD9B875000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B875000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9b875000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b9265c2204bd01e95614d1e45e55aefa2f045e4b4d542f74e94cdc8243a4ac6b
                                      • Instruction ID: 8edfe56362d1a2462f2b55a78072cedc18fbd505912f23417c4d0e50948c299a
                                      • Opcode Fuzzy Hash: b9265c2204bd01e95614d1e45e55aefa2f045e4b4d542f74e94cdc8243a4ac6b
                                      • Instruction Fuzzy Hash: 8CF0693080D68D8FDB51EB6888A86AD7FF0FF19304F0504A7D048D70A2D73465448B01
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B871F6C Relevance: .0, Instructions: 33COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.1881271225.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9b870000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 350f45803ce395152d4417b8a9a65cd158ee6612cf65f7dadffda3c38c54fce1
                                      • Instruction ID: cecd1494277d6747e6013ffdf0f0caa5a590f8f2ad2cb4cf91c3c89f38e46dcd
                                      • Opcode Fuzzy Hash: 350f45803ce395152d4417b8a9a65cd158ee6612cf65f7dadffda3c38c54fce1
                                      • Instruction Fuzzy Hash: F7F0E931A0954D4BE754FB6888A55ED7BA0EF48244F4000B5E81DD70E6DF356A55C281
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B870528 Relevance: .0, Instructions: 31COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.1881271225.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9b870000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e71eb6d211cf2d0cfcf6ce121dbb10d1c1b2eae7b6bd9433a05a88847e5fbcc2
                                      • Instruction ID: 2c5f147a0a79f0122c9b7a518f1b0b2b15e7189ce621e97d72be50f961edb41d
                                      • Opcode Fuzzy Hash: e71eb6d211cf2d0cfcf6ce121dbb10d1c1b2eae7b6bd9433a05a88847e5fbcc2
                                      • Instruction Fuzzy Hash: 4FF0823050960ECFDB55EF54D4916F577A0FF59308F000176E41CD35D5CA35A660D781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8781E0 Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.1881271225.00007FFD9B875000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B875000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9b875000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fb59c368559ca685a5ef77fb8d11176cf3dd8e120c0d452afc64fe50e98931cb
                                      • Instruction ID: fc743aec8ed57d406eda7ceae3b998bf0b7a414bcd7997764533d4e23587b246
                                      • Opcode Fuzzy Hash: fb59c368559ca685a5ef77fb8d11176cf3dd8e120c0d452afc64fe50e98931cb
                                      • Instruction Fuzzy Hash: 95E0D871949D4C8BCF64AB5A9C5029477B1FB4D308F01026DE45CC7191E7355E56C311
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B87685C Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.1881271225.00007FFD9B875000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B875000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9b875000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4fe2c22fa54a598f43179f742694cbb2597163c56f9d5f2088af5726e8f1815c
                                      • Instruction ID: 2d00b35a4df469eab5a5c102efb22efd1486dab81d9a87adb4f18cb63ccec929
                                      • Opcode Fuzzy Hash: 4fe2c22fa54a598f43179f742694cbb2597163c56f9d5f2088af5726e8f1815c
                                      • Instruction Fuzzy Hash: 7CE0DF72A4AA4C8BDB65AF99ACA029877A0FB8D30CF0102AAE44CD71D5D7756695C302
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B870530 Relevance: .0, Instructions: 28COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.1881271225.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9b870000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5b01a90eb6a70d1a918cb76adfb5ae6603397797f04141794992d71152ca3c41
                                      • Instruction ID: 0427cfaeb601c18a681c2d23e16f61e3a75a251e350abd538ef023dd3ffb5b53
                                      • Opcode Fuzzy Hash: 5b01a90eb6a70d1a918cb76adfb5ae6603397797f04141794992d71152ca3c41
                                      • Instruction Fuzzy Hash: 8BF03930A0A60E8FDBA4EF54C4916AA73A0FF59308F000139E41CD3594CA35E660DB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B872536 Relevance: .0, Instructions: 27COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.1881271225.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9b870000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 936f4680cc100d1dd9bf1c185e18904304785096e001a977cfcddbcb986bf986
                                      • Instruction ID: 7be4d5ac6fdb41a32d18955c9ca09a4e0622f1eecbb044b1b3114aaaf6d463d2
                                      • Opcode Fuzzy Hash: 936f4680cc100d1dd9bf1c185e18904304785096e001a977cfcddbcb986bf986
                                      • Instruction Fuzzy Hash: A1F0A271E1595E4FDFA4DF58C894BA9B3B1FB58344F1086E6900DE3255DA30AEC58F40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B871F2C Relevance: .0, Instructions: 19COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.1881271225.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9b870000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f5713b7fa64af13a35a2711fb6dbeb15c0dcb94f43b6141dbc472ec363306648
                                      • Instruction ID: a4c1fe464de974b6bc8c775c10e971412e4508a610398a75485dbad79c1487ce
                                      • Opcode Fuzzy Hash: f5713b7fa64af13a35a2711fb6dbeb15c0dcb94f43b6141dbc472ec363306648
                                      • Instruction Fuzzy Hash: DEE0C23181E14E4AEB217F5448A21E97A50FF09308F050579F41C82091DB78A764D381
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B871C2C Relevance: .0, Instructions: 19COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.1881271225.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9b870000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2765c1be2f8f65200c45d608783b136e7c4689c9f5fc2bb48a521d1f58cc1866
                                      • Instruction ID: d45cc85cdb49cdebf2b6fd6f73a5af33f843aa759ab8a785563b87bd73bec3f9
                                      • Opcode Fuzzy Hash: 2765c1be2f8f65200c45d608783b136e7c4689c9f5fc2bb48a521d1f58cc1866
                                      • Instruction Fuzzy Hash: 97E0C23185F64E4BEB657F9448A51E9BA60FF49308F040539E42C830E1DAA8A3649342
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B870C61 Relevance: .0, Instructions: 19COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.1881271225.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9b870000_services.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 99e22494ba86d541351929474186f20a58984ff8c144d16ffa9dc6efdcd3ed68
                                      • Instruction ID: e8a1b3d1e6700e86daa0ea7f3bf0acec48482ce6dc4ffe73d6fe78bc6d91704f
                                      • Opcode Fuzzy Hash: 99e22494ba86d541351929474186f20a58984ff8c144d16ffa9dc6efdcd3ed68
                                      • Instruction Fuzzy Hash: 8CE08C31F1051D4ECB58EB88E8107EDB771FF85301F8000B1C00CE3196DA306A418B41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Executed Functions

                                      Function 00007FFD9B895141 Relevance: 9.4, Strings: 7, Instructions: 624COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000023.00000002.1881625271.00007FFD9B895000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B895000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_35_2_7ffd9b895000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: "$"$-$[$]${$}
                                      • API String ID: 0-2220975799
                                      • Opcode ID: 9b4e660b3970334eeefefabd55d6fbe006235871f4a7cd7e36a4395b0ee12ee7
                                      • Instruction ID: 345b224d3c59820d4249ff879805b74a3b96aeeaf629c2d42495fbed20e1d319
                                      • Opcode Fuzzy Hash: 9b4e660b3970334eeefefabd55d6fbe006235871f4a7cd7e36a4395b0ee12ee7
                                      • Instruction Fuzzy Hash: 3B42F770E1962D8FDBA8DF68C8A0BEDB7B1FF59301F5041A9D04DA7295DA346A81CF40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8906E0 Relevance: 6.5, Strings: 5, Instructions: 238COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000023.00000002.1881625271.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_35_2_7ffd9b890000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: =N_^$?N_I$N_^X$N_^f$N_^g
                                      • API String ID: 0-3255808656
                                      • Opcode ID: ba26da587a15c4500c163239fafdc97cdb020747766515acf6833175e43210fb
                                      • Instruction ID: f6d2e6ee30e51e27e9dd29b12be5ce6ff2f60fbb154c43a94573ea676b239da3
                                      • Opcode Fuzzy Hash: ba26da587a15c4500c163239fafdc97cdb020747766515acf6833175e43210fb
                                      • Instruction Fuzzy Hash: D4618C63B0F6895BEB2697DC6CA51E87FA1FF49760B4502F7E058C70E7EC156A028381
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8904F8 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000023.00000002.1881625271.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_35_2_7ffd9b890000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ?N_^
                                      • API String ID: 0-1123592777
                                      • Opcode ID: 2dcacda7d6ccb632441c59282721a488007c054c61b2754eb91aa511bd10fa70
                                      • Instruction ID: f81a0918c252fd9d7bca808ca4fb4401466ed33aac772872a09b32639ecbfd15
                                      • Opcode Fuzzy Hash: 2dcacda7d6ccb632441c59282721a488007c054c61b2754eb91aa511bd10fa70
                                      • Instruction Fuzzy Hash: 7401D231A0D25E9FDB56EFA898A15F67BA0EF05308F0401BAE05CC6093EA68A551C781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B890F8D Relevance: .4, Instructions: 376COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000023.00000002.1881625271.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_35_2_7ffd9b890000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fa31d29a8ba8e9f8ff486b56020db2a1b861ea662426c22b63862c3209b9f82f
                                      • Instruction ID: 9f8185921b38824b65ff334d00ff567269a3d787647d87019f037835d1abc9af
                                      • Opcode Fuzzy Hash: fa31d29a8ba8e9f8ff486b56020db2a1b861ea662426c22b63862c3209b9f82f
                                      • Instruction Fuzzy Hash: 4AD13B71E1965D8FDBACDB58D8A4BE8BBB1FF58300F4441B9D01DE32A6DA346981CB01
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B897C89 Relevance: .3, Instructions: 334COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000023.00000002.1881625271.00007FFD9B895000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B895000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_35_2_7ffd9b895000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 58da6f506f1024c5375a443877d494cb777e30f4bc20d21d311deab5517f8366
                                      • Instruction ID: 0455c09f74d12c98431c7da3ecc33a1ab79ce7194c0f383aecdd26028d982c35
                                      • Opcode Fuzzy Hash: 58da6f506f1024c5375a443877d494cb777e30f4bc20d21d311deab5517f8366
                                      • Instruction Fuzzy Hash: 90C16E74A0A55E8FEFA4DBA884957BD7BB1FF98340F51417AD00DD32A6CB386942CB40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B893239 Relevance: .3, Instructions: 310COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000023.00000002.1881625271.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_35_2_7ffd9b890000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e4bb9bfd976ee4b6623b860cfd50dcfd86115e455c35f71a5e5864dfc5fffbd7
                                      • Instruction ID: 33284b96bf55c1c2b929db312d2ac6ec890b518d908c870a2f29d37b401cedaa
                                      • Opcode Fuzzy Hash: e4bb9bfd976ee4b6623b860cfd50dcfd86115e455c35f71a5e5864dfc5fffbd7
                                      • Instruction Fuzzy Hash: 2BB14C71E1965D8FDBACDB58D8A4BA8B7B1FF58300F4441B9D00DE72A6DE346980CB01
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8905D8 Relevance: .3, Instructions: 281COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000023.00000002.1881625271.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_35_2_7ffd9b890000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f0197c256963c4d90de6a764e46e952f890dc3d3b1994f335781cfae084d5826
                                      • Instruction ID: 6d84a1e1124e9571c2d80a7d2d5d6cb123e27c95614c079d43f8eb418264276b
                                      • Opcode Fuzzy Hash: f0197c256963c4d90de6a764e46e952f890dc3d3b1994f335781cfae084d5826
                                      • Instruction Fuzzy Hash: F281E231B1DA494BDF68EF5C88615B97BE2FF9C300B15457EE45EC3292DE34A9028781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B896163 Relevance: .2, Instructions: 200COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000023.00000002.1881625271.00007FFD9B895000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B895000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_35_2_7ffd9b895000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1345e0fc5ff9c149ba5cfc7ec9c5463aa44e8b2856259893b7753afe39af69ce
                                      • Instruction ID: 47cd4d677b901df4a63a69c865c21b8763c0679515332be3ec3c91525e731ca1
                                      • Opcode Fuzzy Hash: 1345e0fc5ff9c149ba5cfc7ec9c5463aa44e8b2856259893b7753afe39af69ce
                                      • Instruction Fuzzy Hash: 0A71A570E14A1D8FDB94EFA8C895BECB7B1FF58300F5041AAD41DE3295DE3469818B41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B895931 Relevance: .2, Instructions: 198COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000023.00000002.1881625271.00007FFD9B895000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B895000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_35_2_7ffd9b895000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 846ee7eeafd0c1b9ad4b1fddab33a8db0d3dd13e1e557c02c28a00b517253602
                                      • Instruction ID: 52e7e653b40d4ef8d0c706306404c0047e5cb64a5765d9f3adc514fd7db50a9d
                                      • Opcode Fuzzy Hash: 846ee7eeafd0c1b9ad4b1fddab33a8db0d3dd13e1e557c02c28a00b517253602
                                      • Instruction Fuzzy Hash: 9961E570A0AA8D4FDB95EF68C464AACBFF1EF99300F0405BAE04DD7296CE34A941C741
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B89129D Relevance: .2, Instructions: 185COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000023.00000002.1881625271.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_35_2_7ffd9b890000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 47aed0f2d22d6eccd6793309ca2844414dc1ea52616f1a6c1ba7edee7c24180b
                                      • Instruction ID: 4a994c96676e8ed0b3a473769e2da9a284a9587cdab3cbe9fd51bda8c3de18b3
                                      • Opcode Fuzzy Hash: 47aed0f2d22d6eccd6793309ca2844414dc1ea52616f1a6c1ba7edee7c24180b
                                      • Instruction Fuzzy Hash: 8F51DF30B1CA4A4FDB58EF5888645BA7BE2FF98304B15417EE45EC7292DE34E8028781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B892CD9 Relevance: .2, Instructions: 167COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000023.00000002.1881625271.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_35_2_7ffd9b890000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 170b7e2f6f40b4ed6183ebbd835a3ad73134f0a550333bfb333d1e8505713021
                                      • Instruction ID: ba3b9e90740bbd95f8cb1d81de129e513bcac5a047be3791b74299c1f081a322
                                      • Opcode Fuzzy Hash: 170b7e2f6f40b4ed6183ebbd835a3ad73134f0a550333bfb333d1e8505713021
                                      • Instruction Fuzzy Hash: 75515071E0995D8FDF95EFA8C865AECBBF1FF59300F41016AE00DE7292CA64A941CB40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B89238D Relevance: .2, Instructions: 157COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000023.00000002.1881625271.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_35_2_7ffd9b890000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e424558bd5fda5d013a5d4ebb01a059bc0a83fb9355ed96b5710c80d1edd33fd
                                      • Instruction ID: 78fcf691497f1d38996320515263927299071c6fd09cf7b25852a4c255e70d12
                                      • Opcode Fuzzy Hash: e424558bd5fda5d013a5d4ebb01a059bc0a83fb9355ed96b5710c80d1edd33fd
                                      • Instruction Fuzzy Hash: 4451E262A0E69D4FEBA59BA88C653A87FA0EF59300F0540FBD08CC71E7DD246E85C741
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B891828 Relevance: .1, Instructions: 116COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000023.00000002.1881625271.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_35_2_7ffd9b890000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bb3057290304f00da395ea2e3505f01b5b1b12c3a555ddf829e8cfb1f4570ceb
                                      • Instruction ID: 5f2f93aec6c9dcb71bebea6d4874afc480783a2f8bab7311b9c3d2602e3229a6
                                      • Opcode Fuzzy Hash: bb3057290304f00da395ea2e3505f01b5b1b12c3a555ddf829e8cfb1f4570ceb
                                      • Instruction Fuzzy Hash: 43319231E1E61E9AEB74BB9084217F8B6A1FF4A300F410279D45EA21E5CF396A45DB80
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B891CA9 Relevance: .1, Instructions: 109COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000023.00000002.1881625271.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_35_2_7ffd9b890000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9a97a3dcc1483d686c99a7b0600878b48316ff567f78427e4b31ef346f565cbe
                                      • Instruction ID: 0cdec1bd3de8e6cd4cff7d06fd3e669cfa6df96d9543faafa85e5cab540e8395
                                      • Opcode Fuzzy Hash: 9a97a3dcc1483d686c99a7b0600878b48316ff567f78427e4b31ef346f565cbe
                                      • Instruction Fuzzy Hash: C1415F75E09A1D9FDB54EB98D8A4AECBBF1FF58300F4101AAD009E72A1DB349945CB40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8964E9 Relevance: .1, Instructions: 105COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000023.00000002.1881625271.00007FFD9B895000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B895000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_35_2_7ffd9b895000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 489277dba2d3039ef6ef6c3b18d0a1b321f63398eee888dc37e35e1762f2578a
                                      • Instruction ID: a138ac84d420b9ec47c96356fa27898c1ed49e0d14ecba382da6a1365a88c55f
                                      • Opcode Fuzzy Hash: 489277dba2d3039ef6ef6c3b18d0a1b321f63398eee888dc37e35e1762f2578a
                                      • Instruction Fuzzy Hash: D8418C70E096498FEB55EFA4C865AEDBBB1FF4A300F5101BAD009D7296CB389981CB41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B895FDD Relevance: .1, Instructions: 105COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000023.00000002.1881625271.00007FFD9B895000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B895000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_35_2_7ffd9b895000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 06e7f92549c0f649314eddaecd492791adab980e08ed08adab7a193f44fa8c56
                                      • Instruction ID: a32cdbf72fa91aa03a14ec4520e911a4208bf9738bef1ede953b08d501a13a13
                                      • Opcode Fuzzy Hash: 06e7f92549c0f649314eddaecd492791adab980e08ed08adab7a193f44fa8c56
                                      • Instruction Fuzzy Hash: 03416D70E1464D8FEB44EF98D865AEDBBB0FF48310F41017AE018E3296DA3469418B91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8983F5 Relevance: .1, Instructions: 103COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000023.00000002.1881625271.00007FFD9B895000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B895000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_35_2_7ffd9b895000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 51c6de06a8610841662158993ecf8c108b069ac60331b40d2f737172df5fdd08
                                      • Instruction ID: a8b6d1fba38a745ff335e35977ce7e98ba7e782544cbc8663e3f763446237b0c
                                      • Opcode Fuzzy Hash: 51c6de06a8610841662158993ecf8c108b069ac60331b40d2f737172df5fdd08
                                      • Instruction Fuzzy Hash: 60315B31E0961E8FDF58DFA4D4646FDBBB1EF48301F01017AE019A22D1CA386A41CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B892BC9 Relevance: .1, Instructions: 91COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000023.00000002.1881625271.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_35_2_7ffd9b890000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1db162be619e74a11b3c57ce62f9a0412c8268811c8779a52ee559b8d9787052
                                      • Instruction ID: 18dd55080e933d950fbe85f515913c48e48def4989b688a363134813da908cff
                                      • Opcode Fuzzy Hash: 1db162be619e74a11b3c57ce62f9a0412c8268811c8779a52ee559b8d9787052
                                      • Instruction Fuzzy Hash: 4C310671E0A65E8FDB59DFA8D8506EDBBB1FF48300F10056AE019E3291DB38A941CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B89186A Relevance: .1, Instructions: 64COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000023.00000002.1881625271.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_35_2_7ffd9b890000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bfbd15c629ce402446f2ca7244608ceef745f73244a00a71bc5ac12f9f1e0275
                                      • Instruction ID: a8114367ee7c9cc9b59218666ceedad555ef2a1e87b43209dde3730cf4b2ade4
                                      • Opcode Fuzzy Hash: bfbd15c629ce402446f2ca7244608ceef745f73244a00a71bc5ac12f9f1e0275
                                      • Instruction Fuzzy Hash: 0011FC31E1A52D8EDB69EB60D4617FCB671EF06301F8114B9D04EA2292CE356E44DB40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8908B1 Relevance: .0, Instructions: 42COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000023.00000002.1881625271.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_35_2_7ffd9b890000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a3087cbf3cdc80c6b1e53048368693ca519fc0c14754c6d5d63e31c5c02f76c8
                                      • Instruction ID: 92bde33df9f51195cab9ffc5cecc0fdfc889be52ffd8d42e116870e82459d665
                                      • Opcode Fuzzy Hash: a3087cbf3cdc80c6b1e53048368693ca519fc0c14754c6d5d63e31c5c02f76c8
                                      • Instruction Fuzzy Hash: AAF02831A0964D8FD795EB6888995EC7FB0EF48300F8101FAD008D61A2DF3816458741
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B891241 Relevance: .0, Instructions: 37COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000023.00000002.1881625271.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_35_2_7ffd9b890000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a9f5de71d01e310d25de19f42e5ee6523df042c258de0c6b1d5f996b249653be
                                      • Instruction ID: 683c7e45f6f642c667c76ad803354b27e57d7bdbe11b3004d70b4304ad76e78f
                                      • Opcode Fuzzy Hash: a9f5de71d01e310d25de19f42e5ee6523df042c258de0c6b1d5f996b249653be
                                      • Instruction Fuzzy Hash: D8F0BE3050E64D8FCB66EF54C8556E93FA0FF5A304F0501AAE41CC7192CB7ADA65CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B898399 Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000023.00000002.1881625271.00007FFD9B895000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B895000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_35_2_7ffd9b895000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4016abae702ff6912c6d814f49f3e48f04bb4acc31850cd64f1e41cee9aa1e65
                                      • Instruction ID: 973e39bc55e4f3e50bfa413c253c8de4928af218edb9e9094174672a4846466a
                                      • Opcode Fuzzy Hash: 4016abae702ff6912c6d814f49f3e48f04bb4acc31850cd64f1e41cee9aa1e65
                                      • Instruction Fuzzy Hash: 32F0193191D68E8FDB51EBA888686AD7FF0FF1A304F0505A7D458D60A2DA3455448B41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B890528 Relevance: .0, Instructions: 31COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000023.00000002.1881625271.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_35_2_7ffd9b890000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5ae5eadda36293c1844d6bf955b0813ebf6c4e0d205ad985bb9f61d872076c60
                                      • Instruction ID: c73a1cfb75593f64e3e0008c71f261493adb5a5bc827a0156a1bef8181961530
                                      • Opcode Fuzzy Hash: 5ae5eadda36293c1844d6bf955b0813ebf6c4e0d205ad985bb9f61d872076c60
                                      • Instruction Fuzzy Hash: 84F05E3050960E8FDB55EF9494116E577A0FF59304F000176E41CD2195CA35A660C781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B891F15 Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000023.00000002.1881625271.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_35_2_7ffd9b890000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2f7d79206b12b07de61fd83f9da4de32b370e39b841b084be9c66662cce74ff9
                                      • Instruction ID: 5dc29335e76615ef497502ba6ce31a1219a49da787af1f3546836c0c06e8d05a
                                      • Opcode Fuzzy Hash: 2f7d79206b12b07de61fd83f9da4de32b370e39b841b084be9c66662cce74ff9
                                      • Instruction Fuzzy Hash: DAE0923185F68E5FDB266F6089661E97F60FF05310F0616FBD058861D3DB6C9628C741
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8981E0 Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000023.00000002.1881625271.00007FFD9B895000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B895000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_35_2_7ffd9b895000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 885604a77612b4007665538a6f7475fabccb69192ee82b013977f59083f09ceb
                                      • Instruction ID: e2ec2e70e633c6ae88e18efbee7d7a10bc5649352f1e22dd7151f5da005ff06a
                                      • Opcode Fuzzy Hash: 885604a77612b4007665538a6f7475fabccb69192ee82b013977f59083f09ceb
                                      • Instruction Fuzzy Hash: 31E06832A49D0D8BCF609F98AC102843BB1FB4D304F01026DE04CC3180D3355E52C300
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B89685C Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000023.00000002.1881625271.00007FFD9B895000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B895000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_35_2_7ffd9b895000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: eb421aba41ecdfd5ea69e883e024c37e4698630aab55df376e19af45b9b23214
                                      • Instruction ID: 716a5aa4a74f656992352075b491c820e1c1d6a9f034f43921e73d89af15dad2
                                      • Opcode Fuzzy Hash: eb421aba41ecdfd5ea69e883e024c37e4698630aab55df376e19af45b9b23214
                                      • Instruction Fuzzy Hash: CFE06872A09A0C4BDB509F9CAC6028837A0FB4C308F010269D44CD7180D3215544C301
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B891C19 Relevance: .0, Instructions: 28COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000023.00000002.1881625271.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_35_2_7ffd9b890000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b1f98a806bba9975e56d2760c8cbbb1c488bb2ae63c72e8e6b2c22bed4af81a9
                                      • Instruction ID: 8b27181e0ccf9da73061104166d19654a517ccd7793feb9473d6d962f14127ea
                                      • Opcode Fuzzy Hash: b1f98a806bba9975e56d2760c8cbbb1c488bb2ae63c72e8e6b2c22bed4af81a9
                                      • Instruction Fuzzy Hash: 24F0E53194F38E4FDB666B6048611D97F70FF06600F0A06BAD068C61E3DB6CD658C342
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B892536 Relevance: .0, Instructions: 27COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000023.00000002.1881625271.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_35_2_7ffd9b890000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 67f90b87aa0f6797332a7958f939c72718f37861121bb635d0fb0e1f1dae9fef
                                      • Instruction ID: 0887873f1219aed21612d13dd1470d1bff0d555623dd2e196dc28e551b20d7ad
                                      • Opcode Fuzzy Hash: 67f90b87aa0f6797332a7958f939c72718f37861121bb635d0fb0e1f1dae9fef
                                      • Instruction Fuzzy Hash: E2F0A271A1495E4FDFA8DF58C895BA9B7B1FB58340F1086E6D00DE3255DA30AEC58F80
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B890530 Relevance: .0, Instructions: 21COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000023.00000002.1881625271.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_35_2_7ffd9b890000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4052877536065a422ffdacf6b0f575e94888fbc971f21f8d59286a0c27209402
                                      • Instruction ID: f30041032725aa9d0cdc4c1f37f2548c3d31e79fd394116e7dc55691a201d6d8
                                      • Opcode Fuzzy Hash: 4052877536065a422ffdacf6b0f575e94888fbc971f21f8d59286a0c27209402
                                      • Instruction Fuzzy Hash: 57E04F3050960ECFDFA4FF58C4506A67BA1FF58344F100539E41CD2190CB35E6A0CB80
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B890C61 Relevance: .0, Instructions: 19COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000023.00000002.1881625271.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_35_2_7ffd9b890000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5a411bcc2487befb602bbd9ffffb137e88cf45cb6f10a01d4cb596452dbb5f24
                                      • Instruction ID: b01255cf7531784ad75131c61601bd3d5228c1314c764e00dd80a3ac18c45f55
                                      • Opcode Fuzzy Hash: 5a411bcc2487befb602bbd9ffffb137e88cf45cb6f10a01d4cb596452dbb5f24
                                      • Instruction Fuzzy Hash: DAE0EC31F1552D4EDB58EB98E8117EDB771FF85311F8015B1D11DE3196DA306A418B41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 00007FFD9B8906FA Relevance: 7.7, Strings: 6, Instructions: 190COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000023.00000002.1881625271.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_35_2_7ffd9b890000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: =N_^$?N_I$N_^U$N_^X$N_^f$N_^g
                                      • API String ID: 0-893460077
                                      • Opcode ID: 4384e175eed4063088bc86d91a8e0a987472055626b2c89d5c46e580ec89dba9
                                      • Instruction ID: 8dc97e7f07101676ef18734aeee0b7967a5b85ea0b2859dab36eab07a6171790
                                      • Opcode Fuzzy Hash: 4384e175eed4063088bc86d91a8e0a987472055626b2c89d5c46e580ec89dba9
                                      • Instruction Fuzzy Hash: 63518A63B0F6851BEB2297DC6CA51A87FA1FF45B6075901F7E198C70A7F815A90283C2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8906A5 Relevance: 6.5, Strings: 5, Instructions: 205COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000023.00000002.1881625271.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_35_2_7ffd9b890000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ?N_I$N_^J$N_^K$N_^f$N_^g
                                      • API String ID: 0-3465608391
                                      • Opcode ID: 09d6cbf53d3f9d32993da068e265fc4c0df79060dce1b17eb4d65d6736fa54ea
                                      • Instruction ID: 131f10e2c7c1654ef6655b4177617c089ce11ab38812a706647eca96fa643a23
                                      • Opcode Fuzzy Hash: 09d6cbf53d3f9d32993da068e265fc4c0df79060dce1b17eb4d65d6736fa54ea
                                      • Instruction Fuzzy Hash: 5351A963B0F6951BEB2657EC2CA00A86F91FF85B7071506F7E198CB0E7E815A90683C1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Executed Functions

                                      Function 00007FFD9B8B5141 Relevance: 9.4, Strings: 7, Instructions: 624COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000024.00000002.1884669620.00007FFD9B8B5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_36_2_7ffd9b8b5000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: "$"$-$[$]${$}
                                      • API String ID: 0-2220975799
                                      • Opcode ID: 3d7481d5b7b31e458cbd21b8c319dd7cfc7619289a7f8dcfb814c283ab7b51c6
                                      • Instruction ID: fdb3af0463f632247a911fcaca27d4e44b8983f9f005f05a4c08f37ef3016016
                                      • Opcode Fuzzy Hash: 3d7481d5b7b31e458cbd21b8c319dd7cfc7619289a7f8dcfb814c283ab7b51c6
                                      • Instruction Fuzzy Hash: B242E770E1966D8FDBA8DF68C8A0BEDB7B1FF58301F5041A9D04DA7295DA346A81CF40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B06E0 Relevance: 6.5, Strings: 5, Instructions: 237COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000024.00000002.1884669620.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_36_2_7ffd9b8b0000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: =L_^$?L_I$L_^X$L_^f$L_^g
                                      • API String ID: 0-1339829850
                                      • Opcode ID: 527da15c45bb8ab2c0ae97bb48cd4965838da52b70d3e8c428959898a31464ef
                                      • Instruction ID: 7ea12a8c2f8b912edec09d75a5e216a9e8dc31d2bb8d67eda2b80106f0ded322
                                      • Opcode Fuzzy Hash: 527da15c45bb8ab2c0ae97bb48cd4965838da52b70d3e8c428959898a31464ef
                                      • Instruction Fuzzy Hash: FA61CCA3B1F6995BE76557ED6C250FC7BA0FF45660B0402F7E058860F7EC156A028BC1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B04F8 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000024.00000002.1884669620.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_36_2_7ffd9b8b0000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ?L_^
                                      • API String ID: 0-1098677799
                                      • Opcode ID: 55a6766a3a0d413be3a57cc5548baf407a2d3fc6d202645f8e64df218dc4957a
                                      • Instruction ID: d17e4623dfc08d415a551a0699b3af363519e18d4aa47aca55ec7d940e73da13
                                      • Opcode Fuzzy Hash: 55a6766a3a0d413be3a57cc5548baf407a2d3fc6d202645f8e64df218dc4957a
                                      • Instruction Fuzzy Hash: C601D231A0926E8FC756EF7898615FA37A0EF05308F04017AE05CCA093EE29A551CB85
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B0F8D Relevance: .4, Instructions: 376COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000024.00000002.1884669620.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_36_2_7ffd9b8b0000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6b7253c5316fa5b36a86f29c432f3ba6c0fbe6ffbba2287674df30d04af54eaa
                                      • Instruction ID: 3802d890a303f9c2ca96b7120584833b47928575918f1508c1f6400d8ba87347
                                      • Opcode Fuzzy Hash: 6b7253c5316fa5b36a86f29c432f3ba6c0fbe6ffbba2287674df30d04af54eaa
                                      • Instruction Fuzzy Hash: 98D13C71E1965D8FDBACDB68D864BA8B7B1FF58300F4441BAD00DE32A6DA346981CF41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B7C25 Relevance: .4, Instructions: 368COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000024.00000002.1884669620.00007FFD9B8B5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_36_2_7ffd9b8b5000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d8b4186e8e41eeb3e08ac46b8bb357533f1b02bcaeff0a2f0534ec8b0bcc2bf9
                                      • Instruction ID: 85e81d75191efe32550645d50206d5d3cf77b56f8a1874c46b8336e9a735816a
                                      • Opcode Fuzzy Hash: d8b4186e8e41eeb3e08ac46b8bb357533f1b02bcaeff0a2f0534ec8b0bcc2bf9
                                      • Instruction Fuzzy Hash: D4D18F74A0A66D8FDBA5DFA884A56BD77B1FF58300F514179D00DD32A6CB386A42CF80
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B3239 Relevance: .3, Instructions: 310COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000024.00000002.1884669620.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_36_2_7ffd9b8b0000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 64ecc662709f7a4736a5e002717b06d36e75d0c9a512cfef6baa846428c91c22
                                      • Instruction ID: 1496574f99fbb3859239e007039bf3ede0454998d4fa3cbb52cdf8e00787404c
                                      • Opcode Fuzzy Hash: 64ecc662709f7a4736a5e002717b06d36e75d0c9a512cfef6baa846428c91c22
                                      • Instruction Fuzzy Hash: 48B14C71E1965D8FDBACDB68D865BA8B7A1FF58300F4401BAD00DE72A2DE346980CF41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B05D8 Relevance: .3, Instructions: 279COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000024.00000002.1884669620.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_36_2_7ffd9b8b0000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2d16e1c597176771dd4a4588cf72b1e89ab04c27491d11949e552a9282bd7e70
                                      • Instruction ID: 3176330d198d522b645d8910a7aaaeb3a6e094c00f103e914a0789bf6a052952
                                      • Opcode Fuzzy Hash: 2d16e1c597176771dd4a4588cf72b1e89ab04c27491d11949e552a9282bd7e70
                                      • Instruction Fuzzy Hash: F781F331B1DA594FDB6CEF6888605B977E2FF98300B15017EE45DC72A6DE34E9028B81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B6163 Relevance: .2, Instructions: 242COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000024.00000002.1884669620.00007FFD9B8B5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_36_2_7ffd9b8b5000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 608fe7da295171c254305883c7b3f4554a0c2416fc4f9848b8e3b5777ddaa857
                                      • Instruction ID: 55ebe03648824d0f86b98bc368625304915bc21a18eb87d8ed9f6c8d2c1ab603
                                      • Opcode Fuzzy Hash: 608fe7da295171c254305883c7b3f4554a0c2416fc4f9848b8e3b5777ddaa857
                                      • Instruction Fuzzy Hash: F591D570E0891D8FDB94EFA8D895BEDB7B1FF58304F4042AAD41DE3296DA3469858B40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B685C Relevance: .2, Instructions: 193COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000024.00000002.1884669620.00007FFD9B8B5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_36_2_7ffd9b8b5000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5356f6c2ba5f682fc77ce7521da0cebd52ba1e3dd90c82a313ff5970d962f935
                                      • Instruction ID: 634bb08cc3188097440daad7f0eb092cd2fd160c8c2d5fb0dcddf079699f201f
                                      • Opcode Fuzzy Hash: 5356f6c2ba5f682fc77ce7521da0cebd52ba1e3dd90c82a313ff5970d962f935
                                      • Instruction Fuzzy Hash: FC71B370D08A2C9FDBA5EF58C895BE9B7F1FB58304F5001AAD40DE3295DB35AA848F40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B129D Relevance: .2, Instructions: 184COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000024.00000002.1884669620.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_36_2_7ffd9b8b0000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5dd92693221a073283b2d61710f07eed08412044995a1e467eb7920534bc9c27
                                      • Instruction ID: c8001802767fb14d05c6cdab4575cda95df31ed3646d21f0893adaf8168d6a34
                                      • Opcode Fuzzy Hash: 5dd92693221a073283b2d61710f07eed08412044995a1e467eb7920534bc9c27
                                      • Instruction Fuzzy Hash: DF510131B18A594FDB58DF2888645BA77E2FF98300B15417ED45EC7291DE34E9028B81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B2CD9 Relevance: .2, Instructions: 167COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000024.00000002.1884669620.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_36_2_7ffd9b8b0000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b7d13ea0c830fe39205eba0dc1d1c1d5c71d3a09a2e9c1aea42f71ba756e2a74
                                      • Instruction ID: 0435336c1b55a788e07058423d8bf87a7a11de9d93f48d98abd4e7085ae8f7a6
                                      • Opcode Fuzzy Hash: b7d13ea0c830fe39205eba0dc1d1c1d5c71d3a09a2e9c1aea42f71ba756e2a74
                                      • Instruction Fuzzy Hash: 50515271E0995D8FDF95EFA8D455AECBBB1FF59300F45016AD00DE7292CB24A941CB40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B238D Relevance: .2, Instructions: 157COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000024.00000002.1884669620.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_36_2_7ffd9b8b0000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e8559882b5d00b8b1b2c6ffabd555b33964a95673328011482d030acf4caddd8
                                      • Instruction ID: 9689edb5ce167a98d6880452b1f3cf943a074afb7f4098937efe1b78315a0052
                                      • Opcode Fuzzy Hash: e8559882b5d00b8b1b2c6ffabd555b33964a95673328011482d030acf4caddd8
                                      • Instruction Fuzzy Hash: 8F51F961A0E6AD4FE7A19BB89C657A87FA0EF49300F0501F7D08CC71E7DD246A85CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B1828 Relevance: .1, Instructions: 116COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000024.00000002.1884669620.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_36_2_7ffd9b8b0000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 69587771db352ff09593235a20431932a3612a4e60a7ea35c498a2f8294ca80f
                                      • Instruction ID: 47797f8067ae6efb334f0fd2e4b93d4719f8950736f49bdd632c22ec5c4a6701
                                      • Opcode Fuzzy Hash: 69587771db352ff09593235a20431932a3612a4e60a7ea35c498a2f8294ca80f
                                      • Instruction Fuzzy Hash: 0E319531E2E62E8AE774BB6084217F9B2A1FF4A300F410279D05D961E5CF396A45CFC0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B1CA9 Relevance: .1, Instructions: 109COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000024.00000002.1884669620.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_36_2_7ffd9b8b0000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9af0dd47842b76c6db5ecdbb1aa710939cb2990c47f12c5ebff2429feeaf2d27
                                      • Instruction ID: 57e9d77b1f5f844592200ccc9db754348cbd8dd1b541dbde431bc9b0a84cc330
                                      • Opcode Fuzzy Hash: 9af0dd47842b76c6db5ecdbb1aa710939cb2990c47f12c5ebff2429feeaf2d27
                                      • Instruction Fuzzy Hash: 32416F71E1991D8FDB54EFA8D8A4AECBBF0FF48301F4001A9D009D72A1DB349944CB40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B64E9 Relevance: .1, Instructions: 105COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000024.00000002.1884669620.00007FFD9B8B5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_36_2_7ffd9b8b5000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 570248743b907ca4e4a1458a464e4d84480da8c80587125cdeee165418ee792d
                                      • Instruction ID: c54fba0333b865996f3e4feebb011d5e5270e64e9763a8a8052526f9fbc20b41
                                      • Opcode Fuzzy Hash: 570248743b907ca4e4a1458a464e4d84480da8c80587125cdeee165418ee792d
                                      • Instruction Fuzzy Hash: F5416D70D096598FDB55DFA4C865AEDBBB1FF49300F5101BAD009D7296CB389981CF41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B5FDD Relevance: .1, Instructions: 105COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000024.00000002.1884669620.00007FFD9B8B5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_36_2_7ffd9b8b5000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: db45c79cc141ef9bfced61eb2aab3781d3b3b8674ef828ec746576fd1d7bd36a
                                      • Instruction ID: 594c56e46ab35a023b65c88144763c304667c04a1fb954646d06b68f348bbc2b
                                      • Opcode Fuzzy Hash: db45c79cc141ef9bfced61eb2aab3781d3b3b8674ef828ec746576fd1d7bd36a
                                      • Instruction Fuzzy Hash: 11416B70E1465D8FDB84EFA8D865AEDBBF1FF48310F05017AE008E3296DA346941CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B83F5 Relevance: .1, Instructions: 102COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000024.00000002.1884669620.00007FFD9B8B5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_36_2_7ffd9b8b5000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cf47f4cd9c42f396461519e40e431fa21c98513b1a901b797cf6306171a75c49
                                      • Instruction ID: 3bf72686a5552cdb354ca3c53910b69d7bf71719573964829be760954135ed6d
                                      • Opcode Fuzzy Hash: cf47f4cd9c42f396461519e40e431fa21c98513b1a901b797cf6306171a75c49
                                      • Instruction Fuzzy Hash: F7315A31E0962E8FDB68DFA4D4A56FEB7B1EF48301F01057AE019A32D5CA385A41CF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B5A29 Relevance: .1, Instructions: 100COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000024.00000002.1884669620.00007FFD9B8B5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_36_2_7ffd9b8b5000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9d13ff8dca565afdcd0ebb8faaf11de59d37eb286ca2c4e08cf9e310ae45413a
                                      • Instruction ID: ece5113018c2a33794027e829ec3a4fbf8132ece9cd3641686c1f2aa9af288c1
                                      • Opcode Fuzzy Hash: 9d13ff8dca565afdcd0ebb8faaf11de59d37eb286ca2c4e08cf9e310ae45413a
                                      • Instruction Fuzzy Hash: 72315C71E0991D8FDB94EFACD4A5AADB7F1FF98304F10053AE01DD3295CA35A9428B80
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B5931 Relevance: .1, Instructions: 98COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000024.00000002.1884669620.00007FFD9B8B5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_36_2_7ffd9b8b5000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3eeab5eade8cc25c044636175bd066f3aad77c125ecdf34d036869c7921c0561
                                      • Instruction ID: 3dd83a1f13366b555ca5411ee8d15541cb06737eaef5608dfa54907149a6d258
                                      • Opcode Fuzzy Hash: 3eeab5eade8cc25c044636175bd066f3aad77c125ecdf34d036869c7921c0561
                                      • Instruction Fuzzy Hash: DE31342060F6DD4FE7A29B788964AE87FB1EF4A320F0904EED088DB197C9285845C752
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B2BC9 Relevance: .1, Instructions: 91COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000024.00000002.1884669620.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_36_2_7ffd9b8b0000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c05373f887cc88fbed7b45faa82e212e172afd81ce94caab372dfdfda53d4273
                                      • Instruction ID: 864fcf00c28dc23d0cc293379bad6f40c36ffa5d3d0cdce6108f859213494ce0
                                      • Opcode Fuzzy Hash: c05373f887cc88fbed7b45faa82e212e172afd81ce94caab372dfdfda53d4273
                                      • Instruction Fuzzy Hash: 08312A70E0A65E8FDB55DFA8D8606EDBBB1FF49301F10057AE019E3291DB389941CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B186A Relevance: .1, Instructions: 64COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000024.00000002.1884669620.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_36_2_7ffd9b8b0000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2a6fb3c5649b606b330c900cd77f4b24bf22f1e02abb9e3214d2270da3637f01
                                      • Instruction ID: 8e0d3ae39bf9f6917242d1d60ce307d9a6d9f4757655d93736b3dc51566a1da7
                                      • Opcode Fuzzy Hash: 2a6fb3c5649b606b330c900cd77f4b24bf22f1e02abb9e3214d2270da3637f01
                                      • Instruction Fuzzy Hash: C411FC31E2A52D8ED769EB60D4657FCB271FF06301F4110B9D04DA62A6CE356E44CF80
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B834D Relevance: .1, Instructions: 62COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000024.00000002.1884669620.00007FFD9B8B5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_36_2_7ffd9b8b5000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6199fd3ef8a8969a3224b6fe70302abb300342100c5d9c5d57b507dd8c84857d
                                      • Instruction ID: 15d4dea0ebe930f56f735e56a58283af13dcdad5544e3609da58ed5f4b96595e
                                      • Opcode Fuzzy Hash: 6199fd3ef8a8969a3224b6fe70302abb300342100c5d9c5d57b507dd8c84857d
                                      • Instruction Fuzzy Hash: C2216F3184E78D8FDB529B7888696E97FB0FF1A300F0601E7D458CB0A2D7386548CB52
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B81E0 Relevance: .0, Instructions: 50COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000024.00000002.1884669620.00007FFD9B8B5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_36_2_7ffd9b8b5000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 28c0c792389e836445b500c2f427da0518f67137ee095bed2d50e16e22068dd8
                                      • Instruction ID: 10e4f28e8e96475467ed88b29e87edca9434ddbf0ebf47bedba80f12afb25f06
                                      • Opcode Fuzzy Hash: 28c0c792389e836445b500c2f427da0518f67137ee095bed2d50e16e22068dd8
                                      • Instruction Fuzzy Hash: 3601F43184890C8BCB60EF5A9C0028577B4FB5D314F01036AD44CD7180E3359AA6CB41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B08B1 Relevance: .0, Instructions: 42COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000024.00000002.1884669620.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_36_2_7ffd9b8b0000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f2519bba86ff4fd70346843e109b248287413070db6b352b98e127b26d8a39f5
                                      • Instruction ID: 9f87b2368ecee9df820953c36aed9a125411b095fa1f22de702dcfab051ef206
                                      • Opcode Fuzzy Hash: f2519bba86ff4fd70346843e109b248287413070db6b352b98e127b26d8a39f5
                                      • Instruction Fuzzy Hash: F4F02231A0964D9FD794EB7888A95EC7FB0EF88300F8105FAD408C61A6DF381645CB41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B1F5D Relevance: .0, Instructions: 39COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000024.00000002.1884669620.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_36_2_7ffd9b8b0000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c9256ba24063cd61acade21657975d369cbf70190d841fa29eb47c7b69e93aad
                                      • Instruction ID: 78364e4356b327c83f5f4a2ef257fa2c34a43666fe4227375d31dc467d441d28
                                      • Opcode Fuzzy Hash: c9256ba24063cd61acade21657975d369cbf70190d841fa29eb47c7b69e93aad
                                      • Instruction Fuzzy Hash: DEF02831A1E64D5FD751EB788CA55EC7FA0EF48200F4101F6D418CB2E3EB28A945C781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B1241 Relevance: .0, Instructions: 37COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000024.00000002.1884669620.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_36_2_7ffd9b8b0000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c27bb3ca9f1c2fc609b5d40c53f8eacd38f7d0e0ac17b7e669fb430352200e87
                                      • Instruction ID: c9dfec9c63295712f4ebe7c97c3728425da9bc93592a6970de723ad899e62fc2
                                      • Opcode Fuzzy Hash: c27bb3ca9f1c2fc609b5d40c53f8eacd38f7d0e0ac17b7e669fb430352200e87
                                      • Instruction Fuzzy Hash: B8F0BE3050E64D8FCB66EF24C8516E93BA0FF5A300F0501AAE41CCB196CB7ADA64CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B0528 Relevance: .0, Instructions: 31COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000024.00000002.1884669620.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_36_2_7ffd9b8b0000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 432d24d1fd1050ca00c0840a8a7201cd64d0db7f0804005701bda6b8cd227d0c
                                      • Instruction ID: c14000dea9572f4d7f9f3dff157658dc6dd583c9076c943b63c4709b4fbfd70e
                                      • Opcode Fuzzy Hash: 432d24d1fd1050ca00c0840a8a7201cd64d0db7f0804005701bda6b8cd227d0c
                                      • Instruction Fuzzy Hash: B5F0823050960ECFDB69EF64D4116F577A0FF59304F000176E41CD71D6CA35A660CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B1F15 Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000024.00000002.1884669620.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_36_2_7ffd9b8b0000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 23ba22b8572c9bb666e20d31bca06677ba9c48c0ae40591f7c4364df5adebe8f
                                      • Instruction ID: 8bebb03e8e9f82e6d93361e3adf8cf6e57b0d7ea40d1fe8a6e5ee34cc2699785
                                      • Opcode Fuzzy Hash: 23ba22b8572c9bb666e20d31bca06677ba9c48c0ae40591f7c4364df5adebe8f
                                      • Instruction Fuzzy Hash: 02E09B3185F69E4FD7216F6049651DD7B60FF05300F0616BBD0588A1D3D76C9618CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B1C19 Relevance: .0, Instructions: 28COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000024.00000002.1884669620.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_36_2_7ffd9b8b0000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d24992e485735ca18b3b10e06babd7af33ca46ad9845132f942a62b29df2134c
                                      • Instruction ID: 1cc1f3f5f1927b86c6c415b5c3a98059dc78c018205414e97c9c95f8e4fe0153
                                      • Opcode Fuzzy Hash: d24992e485735ca18b3b10e06babd7af33ca46ad9845132f942a62b29df2134c
                                      • Instruction Fuzzy Hash: 4EF0A03194F39E4FDB626B6048A11D97B70FF06200F0A06BAD058CA1E3DA6896588782
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B2536 Relevance: .0, Instructions: 27COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000024.00000002.1884669620.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_36_2_7ffd9b8b0000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7c93de0c2b6230d7ca6b700ca4e0565f6d0126693fb637c51b5efed0daf6a2cc
                                      • Instruction ID: 050a3b9d599e1dd869946b43609b9db1eb2a77aacd33065bc6759f0aeb4a7c05
                                      • Opcode Fuzzy Hash: 7c93de0c2b6230d7ca6b700ca4e0565f6d0126693fb637c51b5efed0daf6a2cc
                                      • Instruction Fuzzy Hash: 91F01270E1486E4FDFA4DF28C894BA9B3B1FB58340F1086E6900DE3255DA30AEC58F80
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B1B4D Relevance: .0, Instructions: 25COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000024.00000002.1884669620.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_36_2_7ffd9b8b0000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 97b4c419c3ab19ce4798a8ad9c4a7bd32452db8575867f40a8cc32ca3ef47c3f
                                      • Instruction ID: d41552a5e1f3913b20d15c0275b3b0ae1c4d16c764e69640eae740fd97e164c3
                                      • Opcode Fuzzy Hash: 97b4c419c3ab19ce4798a8ad9c4a7bd32452db8575867f40a8cc32ca3ef47c3f
                                      • Instruction Fuzzy Hash: AEE02B3185F68D4FD7216F3049652E97F60FF45700F0506BAD048861D3EB68E2188782
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B0530 Relevance: .0, Instructions: 21COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000024.00000002.1884669620.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_36_2_7ffd9b8b0000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4052877536065a422ffdacf6b0f575e94888fbc971f21f8d59286a0c27209402
                                      • Instruction ID: 54dc86a14f543349dc7700b5e0320e69aa6d7c8dd2378ae33cffcb442974c070
                                      • Opcode Fuzzy Hash: 4052877536065a422ffdacf6b0f575e94888fbc971f21f8d59286a0c27209402
                                      • Instruction Fuzzy Hash: BCE04F3051960ECFDBA8EF68C450AA677A1FF58304F100539E41CD6190CB35E6A0CFC0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B0C61 Relevance: .0, Instructions: 19COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000024.00000002.1884669620.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_36_2_7ffd9b8b0000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c0266af859dfcd67394e16e1d7092a6eae618b8e4109c1e829af480453418da8
                                      • Instruction ID: 36e5c187be48d124e3c54d035a18cf61c34ebc2660cfa64f5abda6b6daff1e07
                                      • Opcode Fuzzy Hash: c0266af859dfcd67394e16e1d7092a6eae618b8e4109c1e829af480453418da8
                                      • Instruction Fuzzy Hash: F4E08C31F1052D8ECB58EB98E821BEDB770FF85300F8000B1C00CE318ADA306A418B81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 00007FFD9B8B06FA Relevance: 7.7, Strings: 6, Instructions: 190COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000024.00000002.1884669620.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_36_2_7ffd9b8b0000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: =L_^$?L_I$L_^U$L_^X$L_^f$L_^g
                                      • API String ID: 0-3399030255
                                      • Opcode ID: 2901ed489480aa804b860a448454aecd71d7d449e8b0a449201b14756365f14e
                                      • Instruction ID: 6a395c2d2ba314665f3511997b977dd68493e6623f08d83c5490d6e986db0b67
                                      • Opcode Fuzzy Hash: 2901ed489480aa804b860a448454aecd71d7d449e8b0a449201b14756365f14e
                                      • Instruction Fuzzy Hash: ED518EA3B1F6951BE76257ED2C210A87B50FF4566071502F7E098870F7FC16AA068BC1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8B06A5 Relevance: 6.5, Strings: 5, Instructions: 205COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000024.00000002.1884669620.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_36_2_7ffd9b8b0000_sihost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ?L_I$L_^J$L_^K$L_^f$L_^g
                                      • API String ID: 0-841158015
                                      • Opcode ID: 1bd8219d64ee5c592308921d3272116670e3bfc925633b3dc73ff5b49ef62ac4
                                      • Instruction ID: 3c620171f82a6507c1976114c3ab05e2619944930ccd4038ad59ac6de986fbe3
                                      • Opcode Fuzzy Hash: 1bd8219d64ee5c592308921d3272116670e3bfc925633b3dc73ff5b49ef62ac4
                                      • Instruction Fuzzy Hash: 46519BA3B1F6990BE72617FD2C210B87750FF8566071506F7D098860E7F816AA068BC1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Executed Functions

                                      Function 00007FFD9B8A5141 Relevance: 9.4, Strings: 7, Instructions: 623COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1884439162.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffd9b8a5000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: "$"$-$[$]${$}
                                      • API String ID: 0-2220975799
                                      • Opcode ID: c89c4ebcc94ddbe5767897a3791011dd6d618c8c6e004383964caed1b907e2fe
                                      • Instruction ID: 1fc1a63bee4785d059e1ea305b2eb4e012ca094f0851b6025b949ba6ec67c548
                                      • Opcode Fuzzy Hash: c89c4ebcc94ddbe5767897a3791011dd6d618c8c6e004383964caed1b907e2fe
                                      • Instruction Fuzzy Hash: E542E670E1962D8FDBA8DF68C8A0BEDB7B1FF58301F5041A9D04DA7295DA346A81CF50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A06E0 Relevance: 6.5, Strings: 5, Instructions: 234COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1884439162.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: =M_^$?M_I$M_^X$M_^f$M_^g
                                      • API String ID: 0-154525759
                                      • Opcode ID: 7d0f80405dc2f24dee6ffc29b43502035cb3c8c5d3389346662301f86382a189
                                      • Instruction ID: 7396efcea67dc0264652fb69b2fbfceb4440fd8a6868310e6667acf965b79c53
                                      • Opcode Fuzzy Hash: 7d0f80405dc2f24dee6ffc29b43502035cb3c8c5d3389346662301f86382a189
                                      • Instruction Fuzzy Hash: 0C615863B0F68D9BE725579C7C250B87BA0FF45B60B4503F7E05C860E7FD266A028295
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A04F8 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1884439162.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ?M_^
                                      • API String ID: 0-1086198800
                                      • Opcode ID: ed94b66d069c29ce1fcfa9143b9bf8233c5ce2ef5c204b7049bd0855be72eb11
                                      • Instruction ID: 3d8521bafb06154367cd6c1cff0b4bd3395916ff398081af40a7354ad919294e
                                      • Opcode Fuzzy Hash: ed94b66d069c29ce1fcfa9143b9bf8233c5ce2ef5c204b7049bd0855be72eb11
                                      • Instruction Fuzzy Hash: 2E01F531A0A25ECFC756EF6898A15F677A0FF05308F0402BAE05CC70D3EE29A551C795
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A0F8D Relevance: .4, Instructions: 376COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1884439162.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5d3f0b67193d23b1530145afd0bbbe4745c78847c617bd1803f2a87a11b3ada2
                                      • Instruction ID: c4eee4dfb26f822c80f2799e5fb765654599f6d40afb2291563f292b4d95e10b
                                      • Opcode Fuzzy Hash: 5d3f0b67193d23b1530145afd0bbbe4745c78847c617bd1803f2a87a11b3ada2
                                      • Instruction Fuzzy Hash: F9D14C71E1965D8FDBACEB58D865BA8B7B1FF58300F4441B9D00DE32A2DE386981CB11
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A7C89 Relevance: .3, Instructions: 334COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1884439162.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffd9b8a5000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b56ddacefa436c6f7532f5f9ffda8f1bb70266492e62d55e7c8a43ec53351a44
                                      • Instruction ID: c1a2d782709b72c2b632434f03f4d2f55e8f80f2ee4e11487cd6942b59f7e8ce
                                      • Opcode Fuzzy Hash: b56ddacefa436c6f7532f5f9ffda8f1bb70266492e62d55e7c8a43ec53351a44
                                      • Instruction Fuzzy Hash: 17C18C74E0A51D8FEBA5DBA8C4957AD7BF1FF98304F5141B9C00DD32A1DA386982CB60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A3239 Relevance: .3, Instructions: 310COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1884439162.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dd2aac89dca33480d49aa3cb74aa8d5b4399bfb18c88cfd480d78cf4fb88c195
                                      • Instruction ID: 2577d3ba8292d67337c187970afcae245e713283573329d56a3fb02e1da44ceb
                                      • Opcode Fuzzy Hash: dd2aac89dca33480d49aa3cb74aa8d5b4399bfb18c88cfd480d78cf4fb88c195
                                      • Instruction Fuzzy Hash: CBB16E71E19A5D8FDBACEB58D865BA8B7A1FF58300F4441B9D00DE72E2DE346981CB01
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A05D8 Relevance: .3, Instructions: 281COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1884439162.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 65de27709f97cdb6d2bc1a6cc3ce09268b35de42fdde4e21bad9b32655ddfb8b
                                      • Instruction ID: d9638f63021583494f95167e29688675b120fbe4741530340d955a603c15c04d
                                      • Opcode Fuzzy Hash: 65de27709f97cdb6d2bc1a6cc3ce09268b35de42fdde4e21bad9b32655ddfb8b
                                      • Instruction Fuzzy Hash: 6981E031B0DA494FDB68EF5C88605A977E2FF99700B15456AE49EC3292DE34E902C781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A6163 Relevance: .2, Instructions: 200COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1884439162.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffd9b8a5000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8c8016676d72faad877ceac282881df1a2b26fff807b609dc505c033651d63e4
                                      • Instruction ID: ff69affe283ccceee1ec2446db563ebdcab5198c2576afc78f1299ba72ab9fb9
                                      • Opcode Fuzzy Hash: 8c8016676d72faad877ceac282881df1a2b26fff807b609dc505c033651d63e4
                                      • Instruction Fuzzy Hash: 9171B570E1491D8FDB94EFA8C8A5BEDB7B1FF58300F5041BAD41DE3295DA3469818B41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A5931 Relevance: .2, Instructions: 199COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1884439162.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffd9b8a5000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e5aed9caf4680828d025a5ba350663614ce6953ef51e76b5c7cf34a0c8666315
                                      • Instruction ID: 45786f6b1fd454a784980559758e42547a60d9cee5f228e77104a7b25ebf355b
                                      • Opcode Fuzzy Hash: e5aed9caf4680828d025a5ba350663614ce6953ef51e76b5c7cf34a0c8666315
                                      • Instruction Fuzzy Hash: 6761E830E09A8D4FDB95EFA8C4A4AEDBBF1EF59314F0404BAD04DD7296CA38A941C741
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A129D Relevance: .2, Instructions: 185COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1884439162.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: be6936be933c18ebbc97c8d7827ffbe8dc2ff9ed2dd9fef1275ce3e89cd5c73f
                                      • Instruction ID: dda21314199da0e545e0db3918eb48de3e6f086afecd7db00e4081cacd75964a
                                      • Opcode Fuzzy Hash: be6936be933c18ebbc97c8d7827ffbe8dc2ff9ed2dd9fef1275ce3e89cd5c73f
                                      • Instruction Fuzzy Hash: 2451DF30B19A4D4FDB58EF1888645BA77E2FF99304B15417EE45EC7292DE34E902C781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A2CD9 Relevance: .2, Instructions: 167COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1884439162.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3a6566c094f80b9352213ed58de54f3f3a084757c470d4643fb8e689d41cf406
                                      • Instruction ID: 55b8106ca91a02037857c674765e3698e297d3b487388b95cea0dd0541718278
                                      • Opcode Fuzzy Hash: 3a6566c094f80b9352213ed58de54f3f3a084757c470d4643fb8e689d41cf406
                                      • Instruction Fuzzy Hash: 97516071E09A4D8FDBA4EFA8C465AEDB7F1FF59300F01016AE00DE7292CA24A941CB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A238D Relevance: .2, Instructions: 157COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1884439162.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: de9466765afec66a35be79eb25f67a98d63557c09c59ff4ed8e250d0b80864f5
                                      • Instruction ID: 3b82207d3b772591eee69e0cc8d4796a0ee367e644390d30e9facf58935028fe
                                      • Opcode Fuzzy Hash: de9466765afec66a35be79eb25f67a98d63557c09c59ff4ed8e250d0b80864f5
                                      • Instruction Fuzzy Hash: 4351E561A0F69D4FE7B1ABA88D647A87BA0EF5A300F0541F7D08CC71E7DD282A85C751
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A1828 Relevance: .1, Instructions: 116COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1884439162.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 31a5c02048c366006308ce5201f6318245990a00721957686cfe32df16c66715
                                      • Instruction ID: 81dfd5026df9d0b9b50f8e493e0f7379b3885173aa04c3c51a371722d7c5e403
                                      • Opcode Fuzzy Hash: 31a5c02048c366006308ce5201f6318245990a00721957686cfe32df16c66715
                                      • Instruction Fuzzy Hash: 09317031E1E61E8AE774BB9484217FCB2A1FF5A300F410279D45E931E5DF396A45CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A1CA9 Relevance: .1, Instructions: 109COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1884439162.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e61636c9c4ba62211a4e26c59d96d9691f17b9a4e3393c50a7a39b86ded82b41
                                      • Instruction ID: cc484838b954c04eac4ef644bacc9ec45e7d0171c300bbc3fd0ec80d1d020e60
                                      • Opcode Fuzzy Hash: e61636c9c4ba62211a4e26c59d96d9691f17b9a4e3393c50a7a39b86ded82b41
                                      • Instruction Fuzzy Hash: 0E417E34E09A1D8FDB54EB98D864AECBBF0FF19300F4000BAE009E72A5DB389945CB10
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A64E9 Relevance: .1, Instructions: 105COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1884439162.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffd9b8a5000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3c785f765cbb5885c0089cd8b157ca29b76bbaa019c97d01366043df41e8231f
                                      • Instruction ID: edb48a34a85d289b99e533c8ccac61f15ddd00227978101fc3b3ce92e2bdf15e
                                      • Opcode Fuzzy Hash: 3c785f765cbb5885c0089cd8b157ca29b76bbaa019c97d01366043df41e8231f
                                      • Instruction Fuzzy Hash: B2418F70D096498FEB55EFA4C865AED7BB1FF59300F5101BAD009D729ACB389981CF41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A5FDD Relevance: .1, Instructions: 105COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1884439162.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffd9b8a5000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f8df9afc6a146e4e75a0ec4a8a10754f210f5ecbb207ba6e7e2b0171b8f7a462
                                      • Instruction ID: 940081892cc4c04ef40ea5be5c0cb970640629b3e69a904552b2abc50529bff3
                                      • Opcode Fuzzy Hash: f8df9afc6a146e4e75a0ec4a8a10754f210f5ecbb207ba6e7e2b0171b8f7a462
                                      • Instruction Fuzzy Hash: D7415B70E14A4D8FDB94EFA8D865AEDBBF1FF48310F05017AE008E7296DA3469418B91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A83F5 Relevance: .1, Instructions: 103COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1884439162.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffd9b8a5000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 29390c7fecc796de59560afc09276857eda1e538c6e3448b93ffdb9c80896b33
                                      • Instruction ID: 7be468d841cf8e2ebc7f0d813308da38b984c95f18ccbcd66916cf34371c1083
                                      • Opcode Fuzzy Hash: 29390c7fecc796de59560afc09276857eda1e538c6e3448b93ffdb9c80896b33
                                      • Instruction Fuzzy Hash: 2F315C31E0A61E8FDB68DFA4D4646FEB7B5EF48301F41017AE019A32D5CA385A41CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A2BC9 Relevance: .1, Instructions: 91COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1884439162.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f7f462b48c2fa4219576813cfe6dad9678d3c2dc2fa14798934b0fca7ec191f4
                                      • Instruction ID: c00ab8dacdd34e5df0ad74eeaad5de679bd2179a6400084a9d7ab56429e9c680
                                      • Opcode Fuzzy Hash: f7f462b48c2fa4219576813cfe6dad9678d3c2dc2fa14798934b0fca7ec191f4
                                      • Instruction Fuzzy Hash: 7F312B70E0A64E8FDB59DFA8D9506EDB7B1FF48300F10057AE019E3291DB389951CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A186A Relevance: .1, Instructions: 64COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1884439162.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0eea6d1da4db9aa53906637d4c67b336d9bcbcc22c6eab99db78b12d413c6da9
                                      • Instruction ID: 3eb9ddf89bf31ed275270a7a055c8b6ce69cd92175d3815db1d0d97dabc32b71
                                      • Opcode Fuzzy Hash: 0eea6d1da4db9aa53906637d4c67b336d9bcbcc22c6eab99db78b12d413c6da9
                                      • Instruction Fuzzy Hash: B611FC31E1A52D8ED769EB60D4617FCB275FF06301F4110B9D04DA2292DE396E44CB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A08B1 Relevance: .0, Instructions: 40COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1884439162.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 09e4b8278de32063ff6e1b2f61a0d7a3df34d86a0d555de1aec16d3b4158056a
                                      • Instruction ID: 879c5df41555cc02369470bab6ed7c7f97be909ffc74d1d032ca119a6104f7e8
                                      • Opcode Fuzzy Hash: 09e4b8278de32063ff6e1b2f61a0d7a3df34d86a0d555de1aec16d3b4158056a
                                      • Instruction Fuzzy Hash: 33F0F630A1968E4FD795EB7488A55ECBFB0FF49340F8101FAD01CD71A2DF2966598741
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A1F5D Relevance: .0, Instructions: 39COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1884439162.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 12667244dbf0cce2d2b6b480aeba58a7e165391687cc8818fa6974819eed5b45
                                      • Instruction ID: a2958ca62b1ce8897d46d415a95c4e18fd5baf62f532ac99b34e1fd9e881337d
                                      • Opcode Fuzzy Hash: 12667244dbf0cce2d2b6b480aeba58a7e165391687cc8818fa6974819eed5b45
                                      • Instruction Fuzzy Hash: F6F02231A4EA8D4FD715EB6888656ECBBA0FF49200F4501F6D458CB1E7EB38A94AC341
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A1241 Relevance: .0, Instructions: 37COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1884439162.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4b10c09ba03b7bf0c3012a945ba833de592abb1c0582a75ac39f0c86476c29a1
                                      • Instruction ID: f223197e4087428c2f3635a0dcedc09ba7c333b087cd94a4200a71155a387619
                                      • Opcode Fuzzy Hash: 4b10c09ba03b7bf0c3012a945ba833de592abb1c0582a75ac39f0c86476c29a1
                                      • Instruction Fuzzy Hash: B9F0B43050D64D8FCB55DF14C4516E57BA0FF56300F0501AAE41CC7192CB79DA64CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A8399 Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1884439162.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffd9b8a5000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 26f04155982989f8600ce0ac4d0f90bd18d31f4cec8ee2375f310dbef9501f5a
                                      • Instruction ID: b86191e9ae95e51a6c0a64fc94c6a66c806de541d07f2975c73c3c7c8b0e07ef
                                      • Opcode Fuzzy Hash: 26f04155982989f8600ce0ac4d0f90bd18d31f4cec8ee2375f310dbef9501f5a
                                      • Instruction Fuzzy Hash: D4F08C3080E68D8FDB51EBA888682ED7FF0FF19304F4504A7D008D60A2DB346654CB21
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A0528 Relevance: .0, Instructions: 31COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1884439162.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0611d6cc732bddabb11b29671c4610bada4175630f9603a274eb87f472650ad7
                                      • Instruction ID: d6900971d0672197baec63f717fb73311d13d4350e1b79349f57f883aea61e8c
                                      • Opcode Fuzzy Hash: 0611d6cc732bddabb11b29671c4610bada4175630f9603a274eb87f472650ad7
                                      • Instruction Fuzzy Hash: 1EF05E3050960E8FDB55EF5494216E577A0FF59304F000176E41CD2195CA35E660C781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A1F15 Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1884439162.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 80b385a42bce4c852764c522d375b0a8d5a7fe3dec65120092c17d01a1916925
                                      • Instruction ID: 61fa876d48b7d9e159915463b5e9ebf3a1559aceccce50a2f69ad9474c70305a
                                      • Opcode Fuzzy Hash: 80b385a42bce4c852764c522d375b0a8d5a7fe3dec65120092c17d01a1916925
                                      • Instruction Fuzzy Hash: A0E0223180F2CE4FD7226F6088261E97B60FF06300F0A06BBD05C8A0D3DB2C9628C741
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A81E0 Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1884439162.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffd9b8a5000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7947c05737feb902556589f600c8c4fdd55b3f43da46109a951f84e92c06d79a
                                      • Instruction ID: 177d08f533422be18da5ea660d2b8b510f6b0d31ff5337c95e642aaabc41f3ee
                                      • Opcode Fuzzy Hash: 7947c05737feb902556589f600c8c4fdd55b3f43da46109a951f84e92c06d79a
                                      • Instruction Fuzzy Hash: CBE0D871949D4C8BCB649B599C2029577B1FB4D304F41066DE44CC7191D7355E56C321
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A685C Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1884439162.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffd9b8a5000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ac9ede0e47586a88e492e8f6d9408796d47db806b192e29922c3739a53dc66f2
                                      • Instruction ID: 66179f01e23e7aaa0beb2b0866285ddbc1bedf3224308ce7378dec91a5eb95d8
                                      • Opcode Fuzzy Hash: ac9ede0e47586a88e492e8f6d9408796d47db806b192e29922c3739a53dc66f2
                                      • Instruction Fuzzy Hash: 8FE06832909A0C4BCB509F989C6028873A4FB4C308F010269D44CD7184D3215544C301
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A1C19 Relevance: .0, Instructions: 28COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1884439162.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 422a9c0d5ff2148cfd47dc44a07e2f60a8eb3489fbf2058b2d3d0ef83fb33f85
                                      • Instruction ID: e764ec8c1b3b531a343fbad1aa230ff1f693fcaadfd3f80e9af0df34dcaf136a
                                      • Opcode Fuzzy Hash: 422a9c0d5ff2148cfd47dc44a07e2f60a8eb3489fbf2058b2d3d0ef83fb33f85
                                      • Instruction Fuzzy Hash: F1F0E53194F38E4FD7666B6048651D97F70FF06200F0A06B6D058C61E3DB6C9658C352
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A2536 Relevance: .0, Instructions: 27COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1884439162.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3b1d92845ec4251ed7034a0df882849075b500f131bfb659a8441b51a9e7c8e8
                                      • Instruction ID: a935350952797d83debb8fae35f2eb7e50b50101e759f979ef6df272fcabb377
                                      • Opcode Fuzzy Hash: 3b1d92845ec4251ed7034a0df882849075b500f131bfb659a8441b51a9e7c8e8
                                      • Instruction Fuzzy Hash: 5AF0FE70A0485E4EDFA8EF18C894BA9B3B1FB68340F1086E6900DE3255DA30AE858F40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A0530 Relevance: .0, Instructions: 21COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1884439162.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4052877536065a422ffdacf6b0f575e94888fbc971f21f8d59286a0c27209402
                                      • Instruction ID: 30e23b61984462143688f0acb97c49aa7f228fe9299e9ff039252866cc2b0332
                                      • Opcode Fuzzy Hash: 4052877536065a422ffdacf6b0f575e94888fbc971f21f8d59286a0c27209402
                                      • Instruction Fuzzy Hash: 3DE04F3450960ECFDBA8EF58C4506A677A1FF59304F100539E41CD2190CB35E6A0CB80
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A0C61 Relevance: .0, Instructions: 19COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1884439162.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b3f5f4a56798d83e0ad997388a32772c917b0779465b350570cad491fe43dac2
                                      • Instruction ID: 3475d7edf1eaea1ccace82acd7e6efa6d6d304e578e4f14340daebcc88aebbe1
                                      • Opcode Fuzzy Hash: b3f5f4a56798d83e0ad997388a32772c917b0779465b350570cad491fe43dac2
                                      • Instruction Fuzzy Hash: FAE0EC31F1555D8EDB58EB98E8117EDB7B1FF89311F8005F1D11CE319ADA3069458B41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 00007FFD9B8A06FA Relevance: 7.7, Strings: 6, Instructions: 190COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1884439162.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: =M_^$?M_I$M_^U$M_^X$M_^f$M_^g
                                      • API String ID: 0-3044347950
                                      • Opcode ID: 66fdb44b677144909655499dbc431b2ce1e0a586a1def1fae2886c7bf05c744d
                                      • Instruction ID: 0131e3a94caf0220e34a8ae220d97852959a8a9b56db11ca76dc861bce4287de
                                      • Opcode Fuzzy Hash: 66fdb44b677144909655499dbc431b2ce1e0a586a1def1fae2886c7bf05c744d
                                      • Instruction Fuzzy Hash: 12517B53B0F6894BE722579C3C250B8BB91FF46A6075907F7E09C860E7FC16AA028295
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A06A5 Relevance: 6.5, Strings: 5, Instructions: 205COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000025.00000002.1884439162.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_37_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ?M_I$M_^J$M_^K$M_^f$M_^g
                                      • API String ID: 0-1283126691
                                      • Opcode ID: 1b6c81797b0860d747f6da035ae7634e1ef66cf5333b87bb5f4f6334451e86ed
                                      • Instruction ID: ed3dacb467e6259db3e102457e2a6bbf744c0f72c73059d6c052dc00d5bf8751
                                      • Opcode Fuzzy Hash: 1b6c81797b0860d747f6da035ae7634e1ef66cf5333b87bb5f4f6334451e86ed
                                      • Instruction Fuzzy Hash: B8518A63B0F68D8BE72557AC3C200B87B91FF46B6071507F7D09C860E7FC16A9068295
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Executed Functions

                                      Function 00007FFD9B895141 Relevance: 9.4, Strings: 7, Instructions: 624COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1883411026.00007FFD9B895000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B895000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffd9b895000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: "$"$-$[$]${$}
                                      • API String ID: 0-2220975799
                                      • Opcode ID: 527119c550148872750fe9363a974ee76548d4b7eeaf38d8d7fdac1ba32f61ae
                                      • Instruction ID: 7c3c949ee33abbacdbc040693cdfa7f11f90102361c0640bc3680d7f83d72851
                                      • Opcode Fuzzy Hash: 527119c550148872750fe9363a974ee76548d4b7eeaf38d8d7fdac1ba32f61ae
                                      • Instruction Fuzzy Hash: 7142F770E1962D8FDBA8DF68C8A0BEDB7B1FF59301F5041A9D04DA7295DA346A81CF40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8906E0 Relevance: 6.5, Strings: 5, Instructions: 238COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1883411026.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffd9b890000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: =N_^$?N_I$N_^X$N_^f$N_^g
                                      • API String ID: 0-3255808656
                                      • Opcode ID: ed17aa266d7f554159cf75f03ffeb9d1bb225192ce8b74e716663b47813813e9
                                      • Instruction ID: 78ed5d8aeac06de9946f80d9c00b9f43e9da0450dd93cd4f43b2d02200175726
                                      • Opcode Fuzzy Hash: ed17aa266d7f554159cf75f03ffeb9d1bb225192ce8b74e716663b47813813e9
                                      • Instruction Fuzzy Hash: 74618C63B0F6895BEB2697DC6CA51E87FA1FF49760B4502F7E058C70E7EC156A028381
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8904F8 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1883411026.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffd9b890000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ?N_^
                                      • API String ID: 0-1123592777
                                      • Opcode ID: 2dcacda7d6ccb632441c59282721a488007c054c61b2754eb91aa511bd10fa70
                                      • Instruction ID: f81a0918c252fd9d7bca808ca4fb4401466ed33aac772872a09b32639ecbfd15
                                      • Opcode Fuzzy Hash: 2dcacda7d6ccb632441c59282721a488007c054c61b2754eb91aa511bd10fa70
                                      • Instruction Fuzzy Hash: 7401D231A0D25E9FDB56EFA898A15F67BA0EF05308F0401BAE05CC6093EA68A551C781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B890F8D Relevance: .4, Instructions: 376COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1883411026.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffd9b890000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fa31d29a8ba8e9f8ff486b56020db2a1b861ea662426c22b63862c3209b9f82f
                                      • Instruction ID: 9f8185921b38824b65ff334d00ff567269a3d787647d87019f037835d1abc9af
                                      • Opcode Fuzzy Hash: fa31d29a8ba8e9f8ff486b56020db2a1b861ea662426c22b63862c3209b9f82f
                                      • Instruction Fuzzy Hash: 4AD13B71E1965D8FDBACDB58D8A4BE8BBB1FF58300F4441B9D01DE32A6DA346981CB01
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B897C89 Relevance: .3, Instructions: 334COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1883411026.00007FFD9B895000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B895000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffd9b895000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 518d677ed6dc290cd7f897b0495430a01416266c6b702951d6c98ed5b8a0d1d8
                                      • Instruction ID: 08e24b49feda669782659fc522d16b3c41691facdc3b9e937ff53b5f7bafad07
                                      • Opcode Fuzzy Hash: 518d677ed6dc290cd7f897b0495430a01416266c6b702951d6c98ed5b8a0d1d8
                                      • Instruction Fuzzy Hash: F0C16F74A0A91E8FEB64DBA8C465BED7BB1FF58340F51417AD00DD3296CB386942CB40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B893239 Relevance: .3, Instructions: 310COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1883411026.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffd9b890000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e4bb9bfd976ee4b6623b860cfd50dcfd86115e455c35f71a5e5864dfc5fffbd7
                                      • Instruction ID: 33284b96bf55c1c2b929db312d2ac6ec890b518d908c870a2f29d37b401cedaa
                                      • Opcode Fuzzy Hash: e4bb9bfd976ee4b6623b860cfd50dcfd86115e455c35f71a5e5864dfc5fffbd7
                                      • Instruction Fuzzy Hash: 2BB14C71E1965D8FDBACDB58D8A4BA8B7B1FF58300F4441B9D00DE72A6DE346980CB01
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8905D8 Relevance: .3, Instructions: 281COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1883411026.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffd9b890000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f0197c256963c4d90de6a764e46e952f890dc3d3b1994f335781cfae084d5826
                                      • Instruction ID: 6d84a1e1124e9571c2d80a7d2d5d6cb123e27c95614c079d43f8eb418264276b
                                      • Opcode Fuzzy Hash: f0197c256963c4d90de6a764e46e952f890dc3d3b1994f335781cfae084d5826
                                      • Instruction Fuzzy Hash: F281E231B1DA494BDF68EF5C88615B97BE2FF9C300B15457EE45EC3292DE34A9028781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B896163 Relevance: .2, Instructions: 200COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1883411026.00007FFD9B895000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B895000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffd9b895000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bd244f49d4dfd98230738badd26c1a55c724dacecaeaa49c21fb428c0c462d7b
                                      • Instruction ID: 3a133e7388cd710e25acc90469763102db50cd96dafe659d338ec97e2e20427f
                                      • Opcode Fuzzy Hash: bd244f49d4dfd98230738badd26c1a55c724dacecaeaa49c21fb428c0c462d7b
                                      • Instruction Fuzzy Hash: B471A570E14A1D8FDB94EFA8C895BECB7B1FF58300F5041AAD41DE3295DE3469818B41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B89129D Relevance: .2, Instructions: 185COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1883411026.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffd9b890000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 47aed0f2d22d6eccd6793309ca2844414dc1ea52616f1a6c1ba7edee7c24180b
                                      • Instruction ID: 4a994c96676e8ed0b3a473769e2da9a284a9587cdab3cbe9fd51bda8c3de18b3
                                      • Opcode Fuzzy Hash: 47aed0f2d22d6eccd6793309ca2844414dc1ea52616f1a6c1ba7edee7c24180b
                                      • Instruction Fuzzy Hash: 8F51DF30B1CA4A4FDB58EF5888645BA7BE2FF98304B15417EE45EC7292DE34E8028781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B892CD9 Relevance: .2, Instructions: 167COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1883411026.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffd9b890000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 170b7e2f6f40b4ed6183ebbd835a3ad73134f0a550333bfb333d1e8505713021
                                      • Instruction ID: ba3b9e90740bbd95f8cb1d81de129e513bcac5a047be3791b74299c1f081a322
                                      • Opcode Fuzzy Hash: 170b7e2f6f40b4ed6183ebbd835a3ad73134f0a550333bfb333d1e8505713021
                                      • Instruction Fuzzy Hash: 75515071E0995D8FDF95EFA8C865AECBBF1FF59300F41016AE00DE7292CA64A941CB40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B89238D Relevance: .2, Instructions: 157COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1883411026.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffd9b890000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3641f95f519b28dae6afab01f4820e86826e864ee34724f246ab88a1ca8c7304
                                      • Instruction ID: e7e4b1d83a75859f5c907cdca124289c09dc35f696a66f2aafdb0a041a7488ad
                                      • Opcode Fuzzy Hash: 3641f95f519b28dae6afab01f4820e86826e864ee34724f246ab88a1ca8c7304
                                      • Instruction Fuzzy Hash: 6B51E361A0E69D4FEBA59BA88C653A87FA0EF59300F0540FBD08CC71E7DD246E85C741
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B891828 Relevance: .1, Instructions: 116COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1883411026.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffd9b890000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bb3057290304f00da395ea2e3505f01b5b1b12c3a555ddf829e8cfb1f4570ceb
                                      • Instruction ID: 5f2f93aec6c9dcb71bebea6d4874afc480783a2f8bab7311b9c3d2602e3229a6
                                      • Opcode Fuzzy Hash: bb3057290304f00da395ea2e3505f01b5b1b12c3a555ddf829e8cfb1f4570ceb
                                      • Instruction Fuzzy Hash: 43319231E1E61E9AEB74BB9084217F8B6A1FF4A300F410279D45EA21E5CF396A45DB80
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B891CA9 Relevance: .1, Instructions: 109COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1883411026.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffd9b890000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 58f46ed71631c3b51c19ab9ff1dffcbf8c809e02a8af95ca50b2e1d30927be8d
                                      • Instruction ID: 63109f12631efe973ba0a76529ac83e5bb578ca6e4ea028a8e67c3d700aa186e
                                      • Opcode Fuzzy Hash: 58f46ed71631c3b51c19ab9ff1dffcbf8c809e02a8af95ca50b2e1d30927be8d
                                      • Instruction Fuzzy Hash: F6415C71E09A1D8FDB54EB98D8A4AECBBF1FF49301F4000BAD009E72A1DB349944CB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8964E9 Relevance: .1, Instructions: 105COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1883411026.00007FFD9B895000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B895000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffd9b895000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e3ef3b827ff6198b57017498d9d7f669d3c2cd55228e78a39f1fbf4aea565403
                                      • Instruction ID: d614fba29bcfd22c77bfe0713e9c96e82b24307177723092eb1771f1dafa834d
                                      • Opcode Fuzzy Hash: e3ef3b827ff6198b57017498d9d7f669d3c2cd55228e78a39f1fbf4aea565403
                                      • Instruction Fuzzy Hash: 4A416A70E096498FEB55EFA4C865AEDBBB1FF4A300F5101BAD009D7296CB389981CB41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B895FDD Relevance: .1, Instructions: 105COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1883411026.00007FFD9B895000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B895000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffd9b895000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e0e4824bfb2fc171dd8ee1ff5988da58386cb5333d57af4c0325417c2f8ffce3
                                      • Instruction ID: 65d3bc6e634aed5d8756ead13083609ff6adadf2af5eeee7f0d0e738acfbc175
                                      • Opcode Fuzzy Hash: e0e4824bfb2fc171dd8ee1ff5988da58386cb5333d57af4c0325417c2f8ffce3
                                      • Instruction Fuzzy Hash: A0416D70E1464D8FEB44EF98D865AEDBBB0FF48310F01017AE018E3296DA3469418B91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8983F5 Relevance: .1, Instructions: 103COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1883411026.00007FFD9B895000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B895000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffd9b895000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: eb77d9b7d17367a52d5d0c3232e4a61d0820d26288216c6e35c7f4cba7dbc1e2
                                      • Instruction ID: d54a51e2d06290958fe75a5abb15c8dfb119cda63fe8a5ff3e6005635778a96d
                                      • Opcode Fuzzy Hash: eb77d9b7d17367a52d5d0c3232e4a61d0820d26288216c6e35c7f4cba7dbc1e2
                                      • Instruction Fuzzy Hash: F2315B31E0961E8FDB58DFA4D464AFDBBB1EF48305F01017AE019E32D1CA386A41CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B895A29 Relevance: .1, Instructions: 102COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1883411026.00007FFD9B895000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B895000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffd9b895000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3401951ce76815228ed53ca5179915c371257e07a153189b83cbb71ee91660bc
                                      • Instruction ID: 76f27c5c03717a86e6bedfcb7e3f7bd6c6396e4a90006562b9e76ba7b0a1c585
                                      • Opcode Fuzzy Hash: 3401951ce76815228ed53ca5179915c371257e07a153189b83cbb71ee91660bc
                                      • Instruction Fuzzy Hash: A6314A71A09A0D8FDB98EF9CC4A5AADB7F1FF98305F00056AE41DD7295CB35A8428B40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B895931 Relevance: .1, Instructions: 94COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1883411026.00007FFD9B895000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B895000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffd9b895000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cd24f6cda9f5a9c848dc67b494b1beaedab33cce549de0c5aaf6239881d02beb
                                      • Instruction ID: 5b69914e422999f3c8b052a9384b2c678bd771a2ce084cdb49b4084442e051d5
                                      • Opcode Fuzzy Hash: cd24f6cda9f5a9c848dc67b494b1beaedab33cce549de0c5aaf6239881d02beb
                                      • Instruction Fuzzy Hash: DC31242090F7CE0FEBA29B78C564AE47FA1DF4A314F0904EED089EB197C9285941C712
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B892BC9 Relevance: .1, Instructions: 91COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1883411026.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffd9b890000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1db162be619e74a11b3c57ce62f9a0412c8268811c8779a52ee559b8d9787052
                                      • Instruction ID: 18dd55080e933d950fbe85f515913c48e48def4989b688a363134813da908cff
                                      • Opcode Fuzzy Hash: 1db162be619e74a11b3c57ce62f9a0412c8268811c8779a52ee559b8d9787052
                                      • Instruction Fuzzy Hash: 4C310671E0A65E8FDB59DFA8D8506EDBBB1FF48300F10056AE019E3291DB38A941CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B89186A Relevance: .1, Instructions: 64COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1883411026.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffd9b890000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bfbd15c629ce402446f2ca7244608ceef745f73244a00a71bc5ac12f9f1e0275
                                      • Instruction ID: a8114367ee7c9cc9b59218666ceedad555ef2a1e87b43209dde3730cf4b2ade4
                                      • Opcode Fuzzy Hash: bfbd15c629ce402446f2ca7244608ceef745f73244a00a71bc5ac12f9f1e0275
                                      • Instruction Fuzzy Hash: 0011FC31E1A52D8EDB69EB60D4617FCB671EF06301F8114B9D04EA2292CE356E44DB40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8908B1 Relevance: .0, Instructions: 42COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1883411026.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffd9b890000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1cf4c538520fb9d745b1e7439776441969b1a51629255c9d6e60313354d2f1c7
                                      • Instruction ID: 39442dca2c7edc07978d875d2f9f1ebc83f7459fff8ee58b700a48340be2d552
                                      • Opcode Fuzzy Hash: 1cf4c538520fb9d745b1e7439776441969b1a51629255c9d6e60313354d2f1c7
                                      • Instruction Fuzzy Hash: E0F02831A0964D9FD794EB6888995EC7FB0EF48300F8105FAD008D61A2DF3816458741
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B891F5D Relevance: .0, Instructions: 39COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1883411026.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffd9b890000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 39d27f2874e4329499f1aa0500d4e2f951b52dcebfc090c0dc503474219afea7
                                      • Instruction ID: b40f3b9971e331847195134358ab0a739d81f58d8d7744610c8b53c9089d40c0
                                      • Opcode Fuzzy Hash: 39d27f2874e4329499f1aa0500d4e2f951b52dcebfc090c0dc503474219afea7
                                      • Instruction Fuzzy Hash: 0FF02831A0E64D5FDB15EB6888A56ECBFA0EF44200F4501F6D418C71E3EB286946C341
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B891241 Relevance: .0, Instructions: 37COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1883411026.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffd9b890000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a9f5de71d01e310d25de19f42e5ee6523df042c258de0c6b1d5f996b249653be
                                      • Instruction ID: 683c7e45f6f642c667c76ad803354b27e57d7bdbe11b3004d70b4304ad76e78f
                                      • Opcode Fuzzy Hash: a9f5de71d01e310d25de19f42e5ee6523df042c258de0c6b1d5f996b249653be
                                      • Instruction Fuzzy Hash: D8F0BE3050E64D8FCB66EF54C8556E93FA0FF5A304F0501AAE41CC7192CB7ADA65CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B898399 Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1883411026.00007FFD9B895000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B895000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffd9b895000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4016abae702ff6912c6d814f49f3e48f04bb4acc31850cd64f1e41cee9aa1e65
                                      • Instruction ID: 973e39bc55e4f3e50bfa413c253c8de4928af218edb9e9094174672a4846466a
                                      • Opcode Fuzzy Hash: 4016abae702ff6912c6d814f49f3e48f04bb4acc31850cd64f1e41cee9aa1e65
                                      • Instruction Fuzzy Hash: 32F0193191D68E8FDB51EBA888686AD7FF0FF1A304F0505A7D458D60A2DA3455448B41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B890528 Relevance: .0, Instructions: 31COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1883411026.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffd9b890000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5ae5eadda36293c1844d6bf955b0813ebf6c4e0d205ad985bb9f61d872076c60
                                      • Instruction ID: c73a1cfb75593f64e3e0008c71f261493adb5a5bc827a0156a1bef8181961530
                                      • Opcode Fuzzy Hash: 5ae5eadda36293c1844d6bf955b0813ebf6c4e0d205ad985bb9f61d872076c60
                                      • Instruction Fuzzy Hash: 84F05E3050960E8FDB55EF9494116E577A0FF59304F000176E41CD2195CA35A660C781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8981E0 Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1883411026.00007FFD9B895000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B895000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffd9b895000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 885604a77612b4007665538a6f7475fabccb69192ee82b013977f59083f09ceb
                                      • Instruction ID: e2ec2e70e633c6ae88e18efbee7d7a10bc5649352f1e22dd7151f5da005ff06a
                                      • Opcode Fuzzy Hash: 885604a77612b4007665538a6f7475fabccb69192ee82b013977f59083f09ceb
                                      • Instruction Fuzzy Hash: 31E06832A49D0D8BCF609F98AC102843BB1FB4D304F01026DE04CC3180D3355E52C300
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B89685C Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1883411026.00007FFD9B895000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B895000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffd9b895000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: eb421aba41ecdfd5ea69e883e024c37e4698630aab55df376e19af45b9b23214
                                      • Instruction ID: 716a5aa4a74f656992352075b491c820e1c1d6a9f034f43921e73d89af15dad2
                                      • Opcode Fuzzy Hash: eb421aba41ecdfd5ea69e883e024c37e4698630aab55df376e19af45b9b23214
                                      • Instruction Fuzzy Hash: CFE06872A09A0C4BDB509F9CAC6028837A0FB4C308F010269D44CD7180D3215544C301
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B891F15 Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1883411026.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffd9b890000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2f7d79206b12b07de61fd83f9da4de32b370e39b841b084be9c66662cce74ff9
                                      • Instruction ID: 5dc29335e76615ef497502ba6ce31a1219a49da787af1f3546836c0c06e8d05a
                                      • Opcode Fuzzy Hash: 2f7d79206b12b07de61fd83f9da4de32b370e39b841b084be9c66662cce74ff9
                                      • Instruction Fuzzy Hash: DAE0923185F68E5FDB266F6089661E97F60FF05310F0616FBD058861D3DB6C9628C741
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B891C19 Relevance: .0, Instructions: 28COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1883411026.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffd9b890000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b1f98a806bba9975e56d2760c8cbbb1c488bb2ae63c72e8e6b2c22bed4af81a9
                                      • Instruction ID: 8b27181e0ccf9da73061104166d19654a517ccd7793feb9473d6d962f14127ea
                                      • Opcode Fuzzy Hash: b1f98a806bba9975e56d2760c8cbbb1c488bb2ae63c72e8e6b2c22bed4af81a9
                                      • Instruction Fuzzy Hash: 24F0E53194F38E4FDB666B6048611D97F70FF06600F0A06BAD068C61E3DB6CD658C342
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B892536 Relevance: .0, Instructions: 27COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1883411026.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffd9b890000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 860079fe4b3fc28d70a49c366ae196e430bc2c3ddea519ed3a4448d1675402b6
                                      • Instruction ID: c077375cd2b975c780b23080f7b62960c081b17b3154670cfcbcd522a2bd61f0
                                      • Opcode Fuzzy Hash: 860079fe4b3fc28d70a49c366ae196e430bc2c3ddea519ed3a4448d1675402b6
                                      • Instruction Fuzzy Hash: 8DF01270A0485E4FDFA8DF18C894BA9B3B1FB58340F1086E6900DE3255DA30AEC58F80
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B890530 Relevance: .0, Instructions: 21COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1883411026.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffd9b890000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4052877536065a422ffdacf6b0f575e94888fbc971f21f8d59286a0c27209402
                                      • Instruction ID: f30041032725aa9d0cdc4c1f37f2548c3d31e79fd394116e7dc55691a201d6d8
                                      • Opcode Fuzzy Hash: 4052877536065a422ffdacf6b0f575e94888fbc971f21f8d59286a0c27209402
                                      • Instruction Fuzzy Hash: 57E04F3050960ECFDFA4FF58C4506A67BA1FF58344F100539E41CD2190CB35E6A0CB80
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B890C61 Relevance: .0, Instructions: 19COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1883411026.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffd9b890000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ed696c7303c3b35a69239bfc24f224bfc1799ef611036c29ccd5e077e2e11987
                                      • Instruction ID: 694d450cd8a7e3001fe1007aa0fbfa459f24299059c1275021834738129051ff
                                      • Opcode Fuzzy Hash: ed696c7303c3b35a69239bfc24f224bfc1799ef611036c29ccd5e077e2e11987
                                      • Instruction Fuzzy Hash: 62E0EC31F1551D4EDB58EB98E8117EDB771FF85315F8005B1D11CE3196DA306A418B41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 00007FFD9B8906FA Relevance: 7.7, Strings: 6, Instructions: 190COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1883411026.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffd9b890000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: =N_^$?N_I$N_^U$N_^X$N_^f$N_^g
                                      • API String ID: 0-893460077
                                      • Opcode ID: 4384e175eed4063088bc86d91a8e0a987472055626b2c89d5c46e580ec89dba9
                                      • Instruction ID: 8dc97e7f07101676ef18734aeee0b7967a5b85ea0b2859dab36eab07a6171790
                                      • Opcode Fuzzy Hash: 4384e175eed4063088bc86d91a8e0a987472055626b2c89d5c46e580ec89dba9
                                      • Instruction Fuzzy Hash: 63518A63B0F6851BEB2297DC6CA51A87FA1FF45B6075901F7E198C70A7F815A90283C2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8906A5 Relevance: 6.5, Strings: 5, Instructions: 205COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000026.00000002.1883411026.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_38_2_7ffd9b890000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ?N_I$N_^J$N_^K$N_^f$N_^g
                                      • API String ID: 0-3465608391
                                      • Opcode ID: 09d6cbf53d3f9d32993da068e265fc4c0df79060dce1b17eb4d65d6736fa54ea
                                      • Instruction ID: 131f10e2c7c1654ef6655b4177617c089ce11ab38812a706647eca96fa643a23
                                      • Opcode Fuzzy Hash: 09d6cbf53d3f9d32993da068e265fc4c0df79060dce1b17eb4d65d6736fa54ea
                                      • Instruction Fuzzy Hash: 5351A963B0F6951BEB2657EC2CA00A86F91FF85B7071506F7E198CB0E7E815A90683C1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Executed Functions

                                      Function 00007FFD9B8A5141 Relevance: 9.4, Strings: 7, Instructions: 623COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1903501179.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffd9b8a5000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: "$"$-$[$]${$}
                                      • API String ID: 0-2220975799
                                      • Opcode ID: c9f4968a104db97c9ef65e13585196ef33a261a98d5f7c0d25758a151a567a27
                                      • Instruction ID: 2e380f10c25b544124b12395791ece4ffd89c09e81c20e95c95776070db2a135
                                      • Opcode Fuzzy Hash: c9f4968a104db97c9ef65e13585196ef33a261a98d5f7c0d25758a151a567a27
                                      • Instruction Fuzzy Hash: D542E670E1962D8FDBA8DF68C8A0BEDB7B1FF58301F5041A9D04DA7295DA346A81CF50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A06E0 Relevance: 6.5, Strings: 5, Instructions: 234COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1903501179.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: =M_^$?M_I$M_^X$M_^f$M_^g
                                      • API String ID: 0-154525759
                                      • Opcode ID: 0dded5a7f685af40e7af0b950eca63ed33c2ee612b2f597b7ffca130a9555aa7
                                      • Instruction ID: 5aa46ae745495d3260ff1947cccf5901df5488e908886cdcda4357b1f2120b64
                                      • Opcode Fuzzy Hash: 0dded5a7f685af40e7af0b950eca63ed33c2ee612b2f597b7ffca130a9555aa7
                                      • Instruction Fuzzy Hash: C9615763B0F68D9AE725579C7C250B87BA0FF45A60B4503F7E05C860E7FD256A028295
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A04F8 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1903501179.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ?M_^
                                      • API String ID: 0-1086198800
                                      • Opcode ID: ed94b66d069c29ce1fcfa9143b9bf8233c5ce2ef5c204b7049bd0855be72eb11
                                      • Instruction ID: 3d8521bafb06154367cd6c1cff0b4bd3395916ff398081af40a7354ad919294e
                                      • Opcode Fuzzy Hash: ed94b66d069c29ce1fcfa9143b9bf8233c5ce2ef5c204b7049bd0855be72eb11
                                      • Instruction Fuzzy Hash: 2E01F531A0A25ECFC756EF6898A15F677A0FF05308F0402BAE05CC70D3EE29A551C795
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A0F8D Relevance: .4, Instructions: 376COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1903501179.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5d3f0b67193d23b1530145afd0bbbe4745c78847c617bd1803f2a87a11b3ada2
                                      • Instruction ID: c4eee4dfb26f822c80f2799e5fb765654599f6d40afb2291563f292b4d95e10b
                                      • Opcode Fuzzy Hash: 5d3f0b67193d23b1530145afd0bbbe4745c78847c617bd1803f2a87a11b3ada2
                                      • Instruction Fuzzy Hash: F9D14C71E1965D8FDBACEB58D865BA8B7B1FF58300F4441B9D00DE32A2DE386981CB11
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A7C89 Relevance: .3, Instructions: 334COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1903501179.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffd9b8a5000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4bb29fedfc87112ce17261f803d715f12fa63f606f36260abdd69c77db97d961
                                      • Instruction ID: 54807c0999df087d66af911b2990a09edfa8173802061190f2c0ba7029a74f3f
                                      • Opcode Fuzzy Hash: 4bb29fedfc87112ce17261f803d715f12fa63f606f36260abdd69c77db97d961
                                      • Instruction Fuzzy Hash: DEC17D74E0A51D8FEBA4DFA888957BD7BB1FF58300F514179C00DD3296DA386A82DB60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A3239 Relevance: .3, Instructions: 310COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1903501179.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dd2aac89dca33480d49aa3cb74aa8d5b4399bfb18c88cfd480d78cf4fb88c195
                                      • Instruction ID: 2577d3ba8292d67337c187970afcae245e713283573329d56a3fb02e1da44ceb
                                      • Opcode Fuzzy Hash: dd2aac89dca33480d49aa3cb74aa8d5b4399bfb18c88cfd480d78cf4fb88c195
                                      • Instruction Fuzzy Hash: CBB16E71E19A5D8FDBACEB58D865BA8B7A1FF58300F4441B9D00DE72E2DE346981CB01
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A05D8 Relevance: .3, Instructions: 281COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1903501179.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 65de27709f97cdb6d2bc1a6cc3ce09268b35de42fdde4e21bad9b32655ddfb8b
                                      • Instruction ID: d9638f63021583494f95167e29688675b120fbe4741530340d955a603c15c04d
                                      • Opcode Fuzzy Hash: 65de27709f97cdb6d2bc1a6cc3ce09268b35de42fdde4e21bad9b32655ddfb8b
                                      • Instruction Fuzzy Hash: 6981E031B0DA494FDB68EF5C88605A977E2FF99700B15456AE49EC3292DE34E902C781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A6163 Relevance: .2, Instructions: 200COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1903501179.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffd9b8a5000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0f25411a26c51e1c0714993484c7209fa1ea5c0860a74680a8a1e5a9a5d00be8
                                      • Instruction ID: 14200b91c799ef111c0ba5216a0ff0a486b4590d87a41354077db38a27c6753a
                                      • Opcode Fuzzy Hash: 0f25411a26c51e1c0714993484c7209fa1ea5c0860a74680a8a1e5a9a5d00be8
                                      • Instruction Fuzzy Hash: 8471B470E1491D8FEB94EFA8C8A5BEDB7B1FF58300F5041BAD41DE3296DA3469818B41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A129D Relevance: .2, Instructions: 185COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1903501179.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: be6936be933c18ebbc97c8d7827ffbe8dc2ff9ed2dd9fef1275ce3e89cd5c73f
                                      • Instruction ID: dda21314199da0e545e0db3918eb48de3e6f086afecd7db00e4081cacd75964a
                                      • Opcode Fuzzy Hash: be6936be933c18ebbc97c8d7827ffbe8dc2ff9ed2dd9fef1275ce3e89cd5c73f
                                      • Instruction Fuzzy Hash: 2451DF30B19A4D4FDB58EF1888645BA77E2FF99304B15417EE45EC7292DE34E902C781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A2CD9 Relevance: .2, Instructions: 167COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1903501179.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3a6566c094f80b9352213ed58de54f3f3a084757c470d4643fb8e689d41cf406
                                      • Instruction ID: 55b8106ca91a02037857c674765e3698e297d3b487388b95cea0dd0541718278
                                      • Opcode Fuzzy Hash: 3a6566c094f80b9352213ed58de54f3f3a084757c470d4643fb8e689d41cf406
                                      • Instruction Fuzzy Hash: 97516071E09A4D8FDBA4EFA8C465AEDB7F1FF59300F01016AE00DE7292CA24A941CB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A238D Relevance: .2, Instructions: 157COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1903501179.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 333525a871859713f9c92520ecebd13eb493b0121fd3c9d993fa3073265e16d6
                                      • Instruction ID: 895d5abde65c573ea6c53ff6e500a3eee031a150d980e633134a748b5d6e7519
                                      • Opcode Fuzzy Hash: 333525a871859713f9c92520ecebd13eb493b0121fd3c9d993fa3073265e16d6
                                      • Instruction Fuzzy Hash: 7451E361A0F69D4FE7B1ABA88D647A87BA0EF5A300F0541F7D08CC71E7DD282A85C751
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A1828 Relevance: .1, Instructions: 116COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1903501179.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 31a5c02048c366006308ce5201f6318245990a00721957686cfe32df16c66715
                                      • Instruction ID: 81dfd5026df9d0b9b50f8e493e0f7379b3885173aa04c3c51a371722d7c5e403
                                      • Opcode Fuzzy Hash: 31a5c02048c366006308ce5201f6318245990a00721957686cfe32df16c66715
                                      • Instruction Fuzzy Hash: 09317031E1E61E8AE774BB9484217FCB2A1FF5A300F410279D45E931E5DF396A45CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A1CA9 Relevance: .1, Instructions: 109COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1903501179.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 188b021ed4bed3b1eb8713c526b4cb31c1a384b42961ab8c0a8370c4b5d91d38
                                      • Instruction ID: 745bd95a5167a03151c8b87ad9f103a87b799e541da78336c1967ab36cf137eb
                                      • Opcode Fuzzy Hash: 188b021ed4bed3b1eb8713c526b4cb31c1a384b42961ab8c0a8370c4b5d91d38
                                      • Instruction Fuzzy Hash: B5416E71E0951D8FDB54EF98D8A4AECBBF0FF09300F4001AAD009E72A1DB34A945CB10
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A64E9 Relevance: .1, Instructions: 105COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1903501179.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffd9b8a5000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 614b58682d30f809b617a2e64f6f2f2d41698f9ff4ea08d08b133b7a7e0ced90
                                      • Instruction ID: cd09ebcf86c8bbf8fc6ea9fa27c928a695271784c025565350b5eaf153e98a99
                                      • Opcode Fuzzy Hash: 614b58682d30f809b617a2e64f6f2f2d41698f9ff4ea08d08b133b7a7e0ced90
                                      • Instruction Fuzzy Hash: 0D418D70E096498FEB55DFA4C865AEDBBB1FF59300F5101BAD009D729ACB389A81CF41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A5FDD Relevance: .1, Instructions: 105COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1903501179.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffd9b8a5000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 23c83daecb5f4c0bc0871ca511c9a13d81aa4fb0bb23fe65d62cc532bbc884de
                                      • Instruction ID: 00162fabb03f0e3cb7ece1be933fd97144f4ca14fa8e045bb0b386a82d7bb590
                                      • Opcode Fuzzy Hash: 23c83daecb5f4c0bc0871ca511c9a13d81aa4fb0bb23fe65d62cc532bbc884de
                                      • Instruction Fuzzy Hash: 42415D70E14A4D8FDB94EFA8D865AEDBBF1FF48310F45017AE008E7296DA3469418B91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A83F5 Relevance: .1, Instructions: 103COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1903501179.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffd9b8a5000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7aa709bc84db50da66da9399bdecd951641e4d0a1001f306f9659af6efb0298b
                                      • Instruction ID: 84799463e543c76f3d55fd99d8a896764845694828fad55ef8a971952d96736c
                                      • Opcode Fuzzy Hash: 7aa709bc84db50da66da9399bdecd951641e4d0a1001f306f9659af6efb0298b
                                      • Instruction Fuzzy Hash: 7A315C31E0A61E8FDB58DFA4D4646FEB7B5EF48301F41017AE019A32D5CA386A41CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A5A29 Relevance: .1, Instructions: 102COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1903501179.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffd9b8a5000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a3ea5c24486e244ad5876968a3cf8ba1894c31496d1af2dc02552ce80c15466d
                                      • Instruction ID: 8daa6231a6bd42d97c487ff0cd04c3bfaaa0abeb04a932ed906dbbfcb2ad37d6
                                      • Opcode Fuzzy Hash: a3ea5c24486e244ad5876968a3cf8ba1894c31496d1af2dc02552ce80c15466d
                                      • Instruction Fuzzy Hash: 50315C71B0894D8FDB94EF9CC495AADB7F1FF98305F10056AE01DD7295CB35A9428B40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A5931 Relevance: .1, Instructions: 98COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1903501179.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffd9b8a5000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c15e94ea668dfd93fc7fd662a5a53c5a1cba0c07cacb33f04d9bd86e02372cae
                                      • Instruction ID: 01a0445569f7bee7da89598a735330bb880c3744d2f75a272e728fbeb075a095
                                      • Opcode Fuzzy Hash: c15e94ea668dfd93fc7fd662a5a53c5a1cba0c07cacb33f04d9bd86e02372cae
                                      • Instruction Fuzzy Hash: C3312620A0F6CE5FE7A69B748864AE57FB1EF4B310F0D04EED088DB197C9185985C352
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A2BC9 Relevance: .1, Instructions: 91COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1903501179.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f7f462b48c2fa4219576813cfe6dad9678d3c2dc2fa14798934b0fca7ec191f4
                                      • Instruction ID: c00ab8dacdd34e5df0ad74eeaad5de679bd2179a6400084a9d7ab56429e9c680
                                      • Opcode Fuzzy Hash: f7f462b48c2fa4219576813cfe6dad9678d3c2dc2fa14798934b0fca7ec191f4
                                      • Instruction Fuzzy Hash: 7F312B70E0A64E8FDB59DFA8D9506EDB7B1FF48300F10057AE019E3291DB389951CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A186A Relevance: .1, Instructions: 64COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1903501179.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0eea6d1da4db9aa53906637d4c67b336d9bcbcc22c6eab99db78b12d413c6da9
                                      • Instruction ID: 3eb9ddf89bf31ed275270a7a055c8b6ce69cd92175d3815db1d0d97dabc32b71
                                      • Opcode Fuzzy Hash: 0eea6d1da4db9aa53906637d4c67b336d9bcbcc22c6eab99db78b12d413c6da9
                                      • Instruction Fuzzy Hash: B611FC31E1A52D8ED769EB60D4617FCB275FF06301F4110B9D04DA2292DE396E44CB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A08B1 Relevance: .0, Instructions: 40COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1903501179.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ef875af19ca1d1f67e13d5fa3c3f8dd7710370204c24af93432e7f203d1d8fdc
                                      • Instruction ID: 81e2eb453a15c0defe38d988d20f33578fbb623beed7723a034d14caa2493b2e
                                      • Opcode Fuzzy Hash: ef875af19ca1d1f67e13d5fa3c3f8dd7710370204c24af93432e7f203d1d8fdc
                                      • Instruction Fuzzy Hash: DFF04630A1924E4FD394EB7488A55ECBFB0FF49300F8101FAD00CC30A2DF2826598300
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A1F5D Relevance: .0, Instructions: 39COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1903501179.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4272ce642daa34efd7f6e939e60c77a3b8730fa367193a3cc0f2f7dd1ab138f9
                                      • Instruction ID: 0ff082c6075be97b911215099b623d09be6355b0ef0df208f9d7e5176b26911f
                                      • Opcode Fuzzy Hash: 4272ce642daa34efd7f6e939e60c77a3b8730fa367193a3cc0f2f7dd1ab138f9
                                      • Instruction Fuzzy Hash: D9F02831A4EA8D4FD715EB6888655EC7FA0FF45200F4501F6D458C71E3EB386945C341
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A1241 Relevance: .0, Instructions: 37COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1903501179.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4b10c09ba03b7bf0c3012a945ba833de592abb1c0582a75ac39f0c86476c29a1
                                      • Instruction ID: f223197e4087428c2f3635a0dcedc09ba7c333b087cd94a4200a71155a387619
                                      • Opcode Fuzzy Hash: 4b10c09ba03b7bf0c3012a945ba833de592abb1c0582a75ac39f0c86476c29a1
                                      • Instruction Fuzzy Hash: B9F0B43050D64D8FCB55DF14C4516E57BA0FF56300F0501AAE41CC7192CB79DA64CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A8399 Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1903501179.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffd9b8a5000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 26f04155982989f8600ce0ac4d0f90bd18d31f4cec8ee2375f310dbef9501f5a
                                      • Instruction ID: b86191e9ae95e51a6c0a64fc94c6a66c806de541d07f2975c73c3c7c8b0e07ef
                                      • Opcode Fuzzy Hash: 26f04155982989f8600ce0ac4d0f90bd18d31f4cec8ee2375f310dbef9501f5a
                                      • Instruction Fuzzy Hash: D4F08C3080E68D8FDB51EBA888682ED7FF0FF19304F4504A7D008D60A2DB346654CB21
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A0528 Relevance: .0, Instructions: 31COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1903501179.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0611d6cc732bddabb11b29671c4610bada4175630f9603a274eb87f472650ad7
                                      • Instruction ID: d6900971d0672197baec63f717fb73311d13d4350e1b79349f57f883aea61e8c
                                      • Opcode Fuzzy Hash: 0611d6cc732bddabb11b29671c4610bada4175630f9603a274eb87f472650ad7
                                      • Instruction Fuzzy Hash: 1EF05E3050960E8FDB55EF5494216E577A0FF59304F000176E41CD2195CA35E660C781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A81E0 Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1903501179.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffd9b8a5000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7947c05737feb902556589f600c8c4fdd55b3f43da46109a951f84e92c06d79a
                                      • Instruction ID: 177d08f533422be18da5ea660d2b8b510f6b0d31ff5337c95e642aaabc41f3ee
                                      • Opcode Fuzzy Hash: 7947c05737feb902556589f600c8c4fdd55b3f43da46109a951f84e92c06d79a
                                      • Instruction Fuzzy Hash: CBE0D871949D4C8BCB649B599C2029577B1FB4D304F41066DE44CC7191D7355E56C321
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A685C Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1903501179.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffd9b8a5000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ac9ede0e47586a88e492e8f6d9408796d47db806b192e29922c3739a53dc66f2
                                      • Instruction ID: 66179f01e23e7aaa0beb2b0866285ddbc1bedf3224308ce7378dec91a5eb95d8
                                      • Opcode Fuzzy Hash: ac9ede0e47586a88e492e8f6d9408796d47db806b192e29922c3739a53dc66f2
                                      • Instruction Fuzzy Hash: 8FE06832909A0C4BCB509F989C6028873A4FB4C308F010269D44CD7184D3215544C301
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A1F15 Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1903501179.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 80b385a42bce4c852764c522d375b0a8d5a7fe3dec65120092c17d01a1916925
                                      • Instruction ID: 61fa876d48b7d9e159915463b5e9ebf3a1559aceccce50a2f69ad9474c70305a
                                      • Opcode Fuzzy Hash: 80b385a42bce4c852764c522d375b0a8d5a7fe3dec65120092c17d01a1916925
                                      • Instruction Fuzzy Hash: A0E0223180F2CE4FD7226F6088261E97B60FF06300F0A06BBD05C8A0D3DB2C9628C741
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A1C19 Relevance: .0, Instructions: 28COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1903501179.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 422a9c0d5ff2148cfd47dc44a07e2f60a8eb3489fbf2058b2d3d0ef83fb33f85
                                      • Instruction ID: e764ec8c1b3b531a343fbad1aa230ff1f693fcaadfd3f80e9af0df34dcaf136a
                                      • Opcode Fuzzy Hash: 422a9c0d5ff2148cfd47dc44a07e2f60a8eb3489fbf2058b2d3d0ef83fb33f85
                                      • Instruction Fuzzy Hash: F1F0E53194F38E4FD7666B6048651D97F70FF06200F0A06B6D058C61E3DB6C9658C352
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A2536 Relevance: .0, Instructions: 27COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1903501179.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f022370ebe7cdb226bf9350ca7bc53721c33865eaa9daf5ad2a520e21d65a422
                                      • Instruction ID: 17bc30fc600e9daeabb7876c727c948d14d78d1df592481c94ae12396e3f3a04
                                      • Opcode Fuzzy Hash: f022370ebe7cdb226bf9350ca7bc53721c33865eaa9daf5ad2a520e21d65a422
                                      • Instruction Fuzzy Hash: DCF0A271A1495E4FDFA8DF58C894BA9B3B1FB58344F5086E6900DE3255DA30AEC58F40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A0530 Relevance: .0, Instructions: 21COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1903501179.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4052877536065a422ffdacf6b0f575e94888fbc971f21f8d59286a0c27209402
                                      • Instruction ID: 30e23b61984462143688f0acb97c49aa7f228fe9299e9ff039252866cc2b0332
                                      • Opcode Fuzzy Hash: 4052877536065a422ffdacf6b0f575e94888fbc971f21f8d59286a0c27209402
                                      • Instruction Fuzzy Hash: 3DE04F3450960ECFDBA8EF58C4506A677A1FF59304F100539E41CD2190CB35E6A0CB80
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A0C61 Relevance: .0, Instructions: 19COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1903501179.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ede4ed3f6ec6f7cc9dc1f910048ae5334f3559ba6be5a8e5edb30e4c65b48ee1
                                      • Instruction ID: e4bbc0923df52344940eb765089847a1950fbffc4aef0579a6d211344e3ad58f
                                      • Opcode Fuzzy Hash: ede4ed3f6ec6f7cc9dc1f910048ae5334f3559ba6be5a8e5edb30e4c65b48ee1
                                      • Instruction Fuzzy Hash: 45E0EC31F1551D8EDB58EB98E8517EDB771FF89315F8005B1D11CE3196DA306A418B41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 00007FFD9B8A06FA Relevance: 7.7, Strings: 6, Instructions: 190COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1903501179.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: =M_^$?M_I$M_^U$M_^X$M_^f$M_^g
                                      • API String ID: 0-3044347950
                                      • Opcode ID: 66fdb44b677144909655499dbc431b2ce1e0a586a1def1fae2886c7bf05c744d
                                      • Instruction ID: 0131e3a94caf0220e34a8ae220d97852959a8a9b56db11ca76dc861bce4287de
                                      • Opcode Fuzzy Hash: 66fdb44b677144909655499dbc431b2ce1e0a586a1def1fae2886c7bf05c744d
                                      • Instruction Fuzzy Hash: 12517B53B0F6894BE722579C3C250B8BB91FF46A6075907F7E09C860E7FC16AA028295
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8A06A5 Relevance: 6.5, Strings: 5, Instructions: 205COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000027.00000002.1903501179.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_39_2_7ffd9b8a0000_UserOOBEBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ?M_I$M_^J$M_^K$M_^f$M_^g
                                      • API String ID: 0-1283126691
                                      • Opcode ID: 1b6c81797b0860d747f6da035ae7634e1ef66cf5333b87bb5f4f6334451e86ed
                                      • Instruction ID: ed3dacb467e6259db3e102457e2a6bbf744c0f72c73059d6c052dc00d5bf8751
                                      • Opcode Fuzzy Hash: 1b6c81797b0860d747f6da035ae7634e1ef66cf5333b87bb5f4f6334451e86ed
                                      • Instruction Fuzzy Hash: B8518A63B0F68D8BE72557AC3C200B87B91FF46B6071507F7D09C860E7FC16A9068295
                                      Uniqueness

                                      Uniqueness Score: -1.00%