Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FVN001-230824.exe

Overview

General Information

Sample name:FVN001-230824.exe
Analysis ID:1410991
MD5:f9a102868bcd7a4c6779c73d678b50e4
SHA1:5116f1b9a635c7c884ce558177ebe34fa5d992b0
SHA256:959d491cbde6323dc2bf7c377a9c1e0940b988f51a3efcc0f1bd526cc0d210b4
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • FVN001-230824.exe (PID: 1256 cmdline: C:\Users\user\Desktop\FVN001-230824.exe MD5: F9A102868BCD7A4C6779C73D678B50E4)
    • FVN001-230824.exe (PID: 1968 cmdline: C:\Users\user\Desktop\FVN001-230824.exe MD5: F9A102868BCD7A4C6779C73D678B50E4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.pcpatelinfra.com", "Username": "barmer.store@pcpatelinfra.com", "Password": "sB)H)b!K8"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000005.00000002.2557513424.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000005.00000002.2557513424.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000005.00000002.2559950919.0000000002FAB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000005.00000002.2559950919.0000000002F81000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000005.00000002.2559950919.0000000002F81000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 9 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              5.2.FVN001-230824.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                5.2.FVN001-230824.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  5.2.FVN001-230824.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x33533:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x335a5:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x3362f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x336c1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x3372b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x3379d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x33833:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x338c3:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  2.2.FVN001-230824.exe.3aaf240.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    2.2.FVN001-230824.exe.3aaf240.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 11 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Suspicious Outbound SMTP Connections
                      Source: Network ConnectionAuthor: frack113: Data: DesusertionIp: 208.91.198.143, DesusertionIsIpv6: false, DesusertionPort: 587, EventID: 3, Image: C:\Users\user\Desktop\FVN001-230824.exe, Initiated: true, ProcessId: 1968, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49713

                      Snort Signatures

                      Timestamp:03/18/24-14:38:09.012313
                      SID:2855542
                      Source Port:49713
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:03/18/24-14:38:09.012313
                      SID:2855245
                      Source Port:49713
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:03/18/24-14:38:09.012313
                      SID:2840032
                      Source Port:49713
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:03/18/24-14:38:09.012313
                      SID:2851779
                      Source Port:49713
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:03/18/24-14:38:09.012229
                      SID:2030171
                      Source Port:49713
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 2.2.FVN001-230824.exe.3aaf240.3.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.pcpatelinfra.com", "Username": "barmer.store@pcpatelinfra.com", "Password": "sB)H)b!K8"}
                      Multi AV Scanner detection for submitted file
                      Source: FVN001-230824.exeReversingLabs: Detection: 71%
                      Machine Learning detection for sample
                      Source: FVN001-230824.exeJoe Sandbox ML: detected
                      Source: FVN001-230824.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.9:49711 version: TLS 1.2
                      Source: FVN001-230824.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: GTmz.pdb source: FVN001-230824.exe
                      Source: Binary string: GTmz.pdbSHA256 source: FVN001-230824.exe
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 4x nop then jmp 04815F0Ch2_2_048157A2

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.9:49713 -> 208.91.198.143:587
                      Source: TrafficSnort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.9:49713 -> 208.91.198.143:587
                      Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.9:49713 -> 208.91.198.143:587
                      Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.9:49713 -> 208.91.198.143:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.9:49713 -> 208.91.198.143:587
                      Yara detected Generic Downloader
                      Source: Yara matchFile source: 2.2.FVN001-230824.exe.3aaf240.3.raw.unpack, type: UNPACKEDPE
                      Source: global trafficTCP traffic: 192.168.2.9:49713 -> 208.91.198.143:587
                      Source: Joe Sandbox ViewIP Address: 208.91.198.143 208.91.198.143
                      Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: global trafficTCP traffic: 192.168.2.9:49713 -> 208.91.198.143:587
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: unknownDNS traffic detected: queries for: api.ipify.org
                      Source: FVN001-230824.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                      Source: FVN001-230824.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                      Source: FVN001-230824.exeString found in binary or memory: http://ocsp.comodoca.com0
                      Source: FVN001-230824.exe, 00000005.00000002.2559950919.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: FVN001-230824.exe, 00000005.00000002.2559950919.0000000002FAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://smtp.pcpatelinfra.com
                      Source: FVN001-230824.exe, 00000005.00000002.2559950919.0000000002FBB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://support.mailhostbox.com/email-administrators-guide-error-codes/
                      Source: FVN001-230824.exe, 00000005.00000002.2559950919.0000000002FAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                      Source: FVN001-230824.exe, 00000002.00000002.1352521735.0000000003A35000.00000004.00000800.00020000.00000000.sdmp, FVN001-230824.exe, 00000002.00000002.1352521735.0000000003AAF000.00000004.00000800.00020000.00000000.sdmp, FVN001-230824.exe, 00000005.00000002.2557513424.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                      Source: FVN001-230824.exe, 00000002.00000002.1352521735.0000000003A35000.00000004.00000800.00020000.00000000.sdmp, FVN001-230824.exe, 00000002.00000002.1352521735.0000000003AAF000.00000004.00000800.00020000.00000000.sdmp, FVN001-230824.exe, 00000005.00000002.2557513424.0000000000402000.00000040.00000400.00020000.00000000.sdmp, FVN001-230824.exe, 00000005.00000002.2559950919.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                      Source: FVN001-230824.exe, 00000005.00000002.2559950919.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                      Source: FVN001-230824.exe, 00000005.00000002.2559950919.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                      Source: FVN001-230824.exeString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                      Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.9:49711 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to log keystrokes (.Net Source)
                      Source: 2.2.FVN001-230824.exe.3aaf240.3.raw.unpack, NmHr1WHWKO.cs.Net Code: xoM6
                      Source: 2.2.FVN001-230824.exe.3a35448.4.raw.unpack, NmHr1WHWKO.cs.Net Code: xoM6

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 5.2.FVN001-230824.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 2.2.FVN001-230824.exe.3aaf240.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 2.2.FVN001-230824.exe.3a35448.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 2.2.FVN001-230824.exe.3a35448.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 2.2.FVN001-230824.exe.3aaf240.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 2_2_00ADE22C2_2_00ADE22C
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 2_2_00AD4AE02_2_00AD4AE0
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 2_2_048167C02_2_048167C0
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 2_2_04810C682_2_04810C68
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 2_2_04810C782_2_04810C78
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 2_2_04816FF02_2_04816FF0
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 2_2_048127582_2_04812758
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 2_2_048110B02_2_048110B0
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 2_2_048131082_2_04813108
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 5_2_02E74A985_2_02E74A98
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 5_2_02E7C94D5_2_02E7C94D
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 5_2_02E73E805_2_02E73E80
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 5_2_02E7DCE15_2_02E7DCE1
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 5_2_02E741C85_2_02E741C8
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 5_2_02E7DFA05_2_02E7DFA0
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 5_2_06990FF05_2_06990FF0
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 5_2_06995CF85_2_06995CF8
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 5_2_069935285_2_06993528
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 5_2_069945705_2_06994570
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 5_2_0699E0A95_2_0699E0A9
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 5_2_0699919F5_2_0699919F
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 5_2_0699A1085_2_0699A108
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 5_2_069956185_2_06995618
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 5_2_06993C675_2_06993C67
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 5_2_0699C3385_2_0699C338
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 5_2_06AEA1785_2_06AEA178
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 5_2_06AEBC585_2_06AEBC58
                      Source: FVN001-230824.exeStatic PE information: invalid certificate
                      Source: FVN001-230824.exe, 00000002.00000002.1354708928.0000000006F20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs FVN001-230824.exe
                      Source: FVN001-230824.exe, 00000002.00000002.1350866532.0000000000AFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs FVN001-230824.exe
                      Source: FVN001-230824.exe, 00000002.00000002.1351935296.0000000002814000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename29f7614c-ec9f-4464-a726-127a5c85976b.exe4 vs FVN001-230824.exe
                      Source: FVN001-230824.exe, 00000002.00000002.1352521735.0000000003A35000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename29f7614c-ec9f-4464-a726-127a5c85976b.exe4 vs FVN001-230824.exe
                      Source: FVN001-230824.exe, 00000002.00000002.1352521735.0000000003AAF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename29f7614c-ec9f-4464-a726-127a5c85976b.exe4 vs FVN001-230824.exe
                      Source: FVN001-230824.exe, 00000002.00000002.1352521735.0000000003AAF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs FVN001-230824.exe
                      Source: FVN001-230824.exe, 00000005.00000002.2557513424.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename29f7614c-ec9f-4464-a726-127a5c85976b.exe4 vs FVN001-230824.exe
                      Source: FVN001-230824.exe, 00000005.00000002.2557776881.0000000000F39000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs FVN001-230824.exe
                      Source: FVN001-230824.exeBinary or memory string: OriginalFilenameGTmz.exeB vs FVN001-230824.exe
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeSection loaded: wintypes.dllJump to behavior
                      Source: FVN001-230824.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 5.2.FVN001-230824.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 2.2.FVN001-230824.exe.3aaf240.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 2.2.FVN001-230824.exe.3a35448.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 2.2.FVN001-230824.exe.3a35448.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 2.2.FVN001-230824.exe.3aaf240.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: FVN001-230824.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 2.2.FVN001-230824.exe.3aaf240.3.raw.unpack, ISZbPXDvPz.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 2.2.FVN001-230824.exe.3aaf240.3.raw.unpack, ISZbPXDvPz.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 2.2.FVN001-230824.exe.3aaf240.3.raw.unpack, nAXAT51m.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 2.2.FVN001-230824.exe.3aaf240.3.raw.unpack, nAXAT51m.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 2.2.FVN001-230824.exe.3aaf240.3.raw.unpack, nAXAT51m.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 2.2.FVN001-230824.exe.3aaf240.3.raw.unpack, nAXAT51m.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 2.2.FVN001-230824.exe.3aaf240.3.raw.unpack, YpS.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 2.2.FVN001-230824.exe.3aaf240.3.raw.unpack, YpS.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, N34ZcyVrqOfmOWTrfa.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, XLyhyySTmK4ffAQfRP.csSecurity API names: _0020.SetAccessControl
                      Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, XLyhyySTmK4ffAQfRP.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, XLyhyySTmK4ffAQfRP.csSecurity API names: _0020.AddAccessRule
                      Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, N34ZcyVrqOfmOWTrfa.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, XLyhyySTmK4ffAQfRP.csSecurity API names: _0020.SetAccessControl
                      Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, XLyhyySTmK4ffAQfRP.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, XLyhyySTmK4ffAQfRP.csSecurity API names: _0020.AddAccessRule
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/2
                      Source: C:\Users\user\Desktop\FVN001-230824.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FVN001-230824.exe.logJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeMutant created: NULL
                      Source: C:\Users\user\Desktop\FVN001-230824.exeMutant created: \Sessions\1\BaseNamedObjects\YGoHVD
                      Source: FVN001-230824.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: FVN001-230824.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                      Source: C:\Users\user\Desktop\FVN001-230824.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\FVN001-230824.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\FVN001-230824.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: FVN001-230824.exeReversingLabs: Detection: 71%
                      Source: unknownProcess created: C:\Users\user\Desktop\FVN001-230824.exe C:\Users\user\Desktop\FVN001-230824.exe
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess created: C:\Users\user\Desktop\FVN001-230824.exe C:\Users\user\Desktop\FVN001-230824.exe
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess created: C:\Users\user\Desktop\FVN001-230824.exe C:\Users\user\Desktop\FVN001-230824.exeJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                      Source: FVN001-230824.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: FVN001-230824.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: FVN001-230824.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: GTmz.pdb source: FVN001-230824.exe
                      Source: Binary string: GTmz.pdbSHA256 source: FVN001-230824.exe

                      Data Obfuscation

                      barindex
                      .NET source code contains potential unpacker
                      Source: FVN001-230824.exe, MainForm.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                      Source: FVN001-230824.exe, MainForm.cs.Net Code: InitializeComponent contains xor as well as GetObject
                      Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, XLyhyySTmK4ffAQfRP.cs.Net Code: R76tsrTkjC System.Reflection.Assembly.Load(byte[])
                      Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, XLyhyySTmK4ffAQfRP.cs.Net Code: R76tsrTkjC System.Reflection.Assembly.Load(byte[])
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 2_2_04810671 push edx; ret 2_2_04810680
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 2_2_04816188 push eax; ret 2_2_04816189
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 5_2_02E70CB5 push edi; ret 5_2_02E70CC2
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 5_2_02E70C95 push edi; retf 5_2_02E70C3A
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 5_2_0699FEC0 push es; ret 5_2_0699FED0
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 5_2_06AE5170 push es; ret 5_2_06AE5160
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 5_2_06AE5150 push es; ret 5_2_06AE5160
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 5_2_06AEFB99 push es; iretd 5_2_06AEFBC8
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 5_2_06AEFBCD push es; iretd 5_2_06AEFBDC
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 5_2_06AEFBC9 push es; iretd 5_2_06AEFBCC
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 5_2_06AEFBDD push es; iretd 5_2_06AEFBE0
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 5_2_06AEFB21 push es; iretd 5_2_06AEFB24
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 5_2_06AEFB10 push es; iretd 5_2_06AEFB20
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 5_2_06AEFB6D push es; iretd 5_2_06AEFB70
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 5_2_06AEFB7D push es; iretd 5_2_06AEFB88
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 5_2_06AEFB71 push es; iretd 5_2_06AEFB7C
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 5_2_06AEFB44 push es; iretd 5_2_06AEFB54
                      Source: C:\Users\user\Desktop\FVN001-230824.exeCode function: 5_2_06AEFB55 push es; iretd 5_2_06AEFB5C
                      Source: FVN001-230824.exeStatic PE information: section name: .text entropy: 7.9530705368610946
                      Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, hOL09Lfr1bK7NSIFg2.csHigh entropy of concatenated method names: 'JHaP5HZPn8', 'BdMPxTLqZy', 'SogP7DyZ49', 'wLEPT4oE3X', 'N8uPIMnGWH', 'yqRPGtx3FS', 'p1YPaAocbh', 'I9TPmPnTBG', 'zuBPEwUhjb', 'A61PCTaFRK'
                      Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, DvMpNZAgK2Isvs1CEm.csHigh entropy of concatenated method names: 'Dispose', 'xsTJUSWIb8', 'rt13TWNIMk', 'ar7ggqI0J5', 'aLyJZ9H2Gn', 'V0uJz07WZ4', 'ProcessDialogKey', 'A433N8SkjV', 'KyA3Jepiw0', 'Rxf336dgmy'
                      Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, XLyhyySTmK4ffAQfRP.csHigh entropy of concatenated method names: 'I7Qv8rj2Mx', 'e7HvY2jjJA', 'vejvLWDMm3', 'jCvvXaSmN9', 'eowvjfl11w', 'KnXv1uoGuu', 'eSGvnewqjk', 'X7hvOrT3cZ', 'P8XvAMTeAv', 'NU8v4Y55dK'
                      Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, EoaQ3YrWSj4xVu9mSx.csHigh entropy of concatenated method names: 'koWkEf9B89', 'F6YkR94iR1', 'd2Kk6WNp3p', 'xNlkFOTIkX', 'Ls7kTDeWjF', 'CltkM76YZr', 'lxjkI87Exq', 'xfwkGv1pGa', 'XsTk0s0Rxe', 'VfFkaudO56'
                      Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, Xn4GP52jQsLFHNejSw.csHigh entropy of concatenated method names: 'spFXSn3c2A', 'SWZXWBXGoZ', 'x6jX5og4BU', 'JADXxRw01l', 'Cn2XkW9h3q', 'VH7XHYwCBt', 'CuJXf8XOPh', 'satXQ4lCAl', 'Ui5XlhuvPA', 'EsMXi8REy5'
                      Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, SG4F5vTGsYf2KfYXCu.csHigh entropy of concatenated method names: 'GgOsM9I7V', 'xpaSMZGcC', 'eHKWesAMp', 'nBWwpIFqT', 'ChWxuyoGV', 'kQWBuvpS1', 'aKDJbk3NkiiIVY4OYS', 'OCvboUdM6ZsG3Dd68p', 'ExSQjp1YE', 'MgHiE70BR'
                      Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, IZn3i3Gk1n4iYx0vy0i.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bCki6QRNM8', 'NiDiFA9wmq', 'So5iDdXJrE', 'adqiKKurVZ', 'KSDiVd8nap', 'yL1ihCWdWB', 'siAiePhdJ7'
                      Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, n6N0ry1UwKZTDF1W7o.csHigh entropy of concatenated method names: 'tOOQ7Y3gIy', 'loIQTS4tvD', 'RkSQMFS4cR', 'k7cQIILyED', 'pUZQ6ZcLjb', 'oybQGagK3q', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, CqLFsODm2pZGhrJBy6.csHigh entropy of concatenated method names: 'fO3no9cj4S', 'iLunr3leN0', 'Tq1nsfiTH6', 'LRqnS4Djtw', 'zk1n9dJCLP', 'F5PnWrTycY', 'VREnwuoF1p', 'JcSn5oyXK3', 'vjbnxBV6TS', 'kJjnBMsVK2'
                      Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, WUDBeKXW5DwYN7QhDQ.csHigh entropy of concatenated method names: 'Q70fcMLyAW', 'VHpfZ1FYuJ', 'rOvQNMXUHg', 'YjKQJoA3oj', 'NBWfCOCcY0', 'X6ufRLqJjf', 'RmyfqJd9WR', 'k9Pf6fcWWF', 'jetfFBU8cH', 'fIZfDWooJK'
                      Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, TYjxgRGBcnj4N3bl4Qk.csHigh entropy of concatenated method names: 'vYFlor7Qkp', 'aWnlrJX5cB', 'tmelshcB3E', 'TILlST9aOW', 'hLal9FsRvd', 'y1RlWjdwKi', 'y7Mlwu6xbD', 'kY8l5hZJXN', 'sJ0lxiWaKH', 'WlJlBDwLHh'
                      Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, SekI0imFQCXOq8VsmR.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'xxN3Um2Xa3', 'xBW3ZIAsis', 'w6J3zopyt0', 'VAgvNuG0uy', 'ARwvJS9miq', 'HJjv32ofHH', 'WmAvvH4EWN', 'dFYadHRGliwwvYud5mR'
                      Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, Vts58fHrCHZT20dRu9.csHigh entropy of concatenated method names: 'r6TQYUdby1', 'sF8QLYrBC0', 'ih3QXl8dCw', 'bNKQj1wmSh', 'H7YQ19Jtdt', 'RaaQnxI7hJ', 'vhqQOG6e32', 'b1DQAgZH0J', 'AS6Q42AdN4', 'CJAQpvKS3e'
                      Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, OE11K0zLUfoCqyq2xS.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dXBlPbRRr4', 'IdXlkbsOYo', 'RlnlHga9NG', 'eDflftRUoy', 'OH5lQ6xRsx', 'AoVllQCMJt', 'PUYliLSKno'
                      Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, EMRX9ejm9MK7bCmTS1.csHigh entropy of concatenated method names: 'E1d18WC3Ey', 'y5C1LyVhtj', 'dBB1jVx7gV', 'gMa1nJHtwP', 'ijp1OhA6GW', 'gYDjVUnsh4', 'wlhjhDSGDd', 'f2WjeCN9cD', 'v4FjcZ9DvL', 's5ojUXUC2X'
                      Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, N34ZcyVrqOfmOWTrfa.csHigh entropy of concatenated method names: 'yfwL67mZU3', 'WxGLFtMs0s', 'JEnLDv6x7t', 'MyNLKqDpDc', 'XciLV4PMMa', 'zLfLhq6srU', 'tyPLeVdKLO', 'xxVLcPSpo6', 'GdHLUwPjuo', 's1LLZLZ8eV'
                      Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, b2Sm9vL4O9uFZXl1qI.csHigh entropy of concatenated method names: 'qubJnJb6PA', 'wdWJOJ3QRy', 'he4J4pFIU7', 'YYKJpB6sHi', 'Ot7JkregbV', 'D5aJHy1OA6', 'SOw3tyYgg4GPke8umT', 'lGfd9E4DJBchLJSA2c', 'pOKJJG05TH', 'RHmJv7kOxw'
                      Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, TuuJmTvFVeV5mu7o3Z.csHigh entropy of concatenated method names: 'ejt1yQyC1B', 'Bm41oFVAAL', 'HrV1sDNF1V', 'tkO1S4laP7', 'NI81W3pWAw', 'gYQ1w9O65V', 'KqI1xIHSXO', 'X4J1BfM9J0', 'ldiR4XG7ARMQIAAieoc', 'zcUP3ZGQ7HfLi0NZqXJ'
                      Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, iZV0pMM4Dts6tBSOQP.csHigh entropy of concatenated method names: 'ToString', 'GXbHCrcmV3', 'YGkHTUH01B', 'tqcHM8amYg', 'BZyHI9WyrZ', 'fWXHG7m9hR', 'M52H0vAUNe', 'ySIHaJQZEo', 'xc6HmTD2Jd', 'qY6HbCmH1K'
                      Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, z74bjNPfWJrQUxpqQT.csHigh entropy of concatenated method names: 'dVplJXgTjR', 'jxKlvECBZk', 'P74lt1W1nQ', 'vtMlYIeokD', 'FRNlLDiFOf', 'zdEljquJyX', 'QV4l1PWPKK', 'w3iQer2Tfm', 'kVTQcdBePH', 'ycnQUvsY7E'
                      Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, ip1viPnI8reVhE0pgB.csHigh entropy of concatenated method names: 'WQ8nYh931Y', 'iu9nXwwIAl', 'euhn1joKk5', 'oaD1ZPx44R', 'G7W1zIvsJK', 'n72nNqVEsV', 'TrtnJn2aMO', 'pf3n3GkJUD', 'AnInvN5HLI', 'uK4ntxy0AD'
                      Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, hOL09Lfr1bK7NSIFg2.csHigh entropy of concatenated method names: 'JHaP5HZPn8', 'BdMPxTLqZy', 'SogP7DyZ49', 'wLEPT4oE3X', 'N8uPIMnGWH', 'yqRPGtx3FS', 'p1YPaAocbh', 'I9TPmPnTBG', 'zuBPEwUhjb', 'A61PCTaFRK'
                      Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, DvMpNZAgK2Isvs1CEm.csHigh entropy of concatenated method names: 'Dispose', 'xsTJUSWIb8', 'rt13TWNIMk', 'ar7ggqI0J5', 'aLyJZ9H2Gn', 'V0uJz07WZ4', 'ProcessDialogKey', 'A433N8SkjV', 'KyA3Jepiw0', 'Rxf336dgmy'
                      Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, XLyhyySTmK4ffAQfRP.csHigh entropy of concatenated method names: 'I7Qv8rj2Mx', 'e7HvY2jjJA', 'vejvLWDMm3', 'jCvvXaSmN9', 'eowvjfl11w', 'KnXv1uoGuu', 'eSGvnewqjk', 'X7hvOrT3cZ', 'P8XvAMTeAv', 'NU8v4Y55dK'
                      Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, EoaQ3YrWSj4xVu9mSx.csHigh entropy of concatenated method names: 'koWkEf9B89', 'F6YkR94iR1', 'd2Kk6WNp3p', 'xNlkFOTIkX', 'Ls7kTDeWjF', 'CltkM76YZr', 'lxjkI87Exq', 'xfwkGv1pGa', 'XsTk0s0Rxe', 'VfFkaudO56'
                      Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, Xn4GP52jQsLFHNejSw.csHigh entropy of concatenated method names: 'spFXSn3c2A', 'SWZXWBXGoZ', 'x6jX5og4BU', 'JADXxRw01l', 'Cn2XkW9h3q', 'VH7XHYwCBt', 'CuJXf8XOPh', 'satXQ4lCAl', 'Ui5XlhuvPA', 'EsMXi8REy5'
                      Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, SG4F5vTGsYf2KfYXCu.csHigh entropy of concatenated method names: 'GgOsM9I7V', 'xpaSMZGcC', 'eHKWesAMp', 'nBWwpIFqT', 'ChWxuyoGV', 'kQWBuvpS1', 'aKDJbk3NkiiIVY4OYS', 'OCvboUdM6ZsG3Dd68p', 'ExSQjp1YE', 'MgHiE70BR'
                      Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, IZn3i3Gk1n4iYx0vy0i.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bCki6QRNM8', 'NiDiFA9wmq', 'So5iDdXJrE', 'adqiKKurVZ', 'KSDiVd8nap', 'yL1ihCWdWB', 'siAiePhdJ7'
                      Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, n6N0ry1UwKZTDF1W7o.csHigh entropy of concatenated method names: 'tOOQ7Y3gIy', 'loIQTS4tvD', 'RkSQMFS4cR', 'k7cQIILyED', 'pUZQ6ZcLjb', 'oybQGagK3q', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, CqLFsODm2pZGhrJBy6.csHigh entropy of concatenated method names: 'fO3no9cj4S', 'iLunr3leN0', 'Tq1nsfiTH6', 'LRqnS4Djtw', 'zk1n9dJCLP', 'F5PnWrTycY', 'VREnwuoF1p', 'JcSn5oyXK3', 'vjbnxBV6TS', 'kJjnBMsVK2'
                      Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, WUDBeKXW5DwYN7QhDQ.csHigh entropy of concatenated method names: 'Q70fcMLyAW', 'VHpfZ1FYuJ', 'rOvQNMXUHg', 'YjKQJoA3oj', 'NBWfCOCcY0', 'X6ufRLqJjf', 'RmyfqJd9WR', 'k9Pf6fcWWF', 'jetfFBU8cH', 'fIZfDWooJK'
                      Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, TYjxgRGBcnj4N3bl4Qk.csHigh entropy of concatenated method names: 'vYFlor7Qkp', 'aWnlrJX5cB', 'tmelshcB3E', 'TILlST9aOW', 'hLal9FsRvd', 'y1RlWjdwKi', 'y7Mlwu6xbD', 'kY8l5hZJXN', 'sJ0lxiWaKH', 'WlJlBDwLHh'
                      Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, SekI0imFQCXOq8VsmR.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'xxN3Um2Xa3', 'xBW3ZIAsis', 'w6J3zopyt0', 'VAgvNuG0uy', 'ARwvJS9miq', 'HJjv32ofHH', 'WmAvvH4EWN', 'dFYadHRGliwwvYud5mR'
                      Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, Vts58fHrCHZT20dRu9.csHigh entropy of concatenated method names: 'r6TQYUdby1', 'sF8QLYrBC0', 'ih3QXl8dCw', 'bNKQj1wmSh', 'H7YQ19Jtdt', 'RaaQnxI7hJ', 'vhqQOG6e32', 'b1DQAgZH0J', 'AS6Q42AdN4', 'CJAQpvKS3e'
                      Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, OE11K0zLUfoCqyq2xS.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dXBlPbRRr4', 'IdXlkbsOYo', 'RlnlHga9NG', 'eDflftRUoy', 'OH5lQ6xRsx', 'AoVllQCMJt', 'PUYliLSKno'
                      Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, EMRX9ejm9MK7bCmTS1.csHigh entropy of concatenated method names: 'E1d18WC3Ey', 'y5C1LyVhtj', 'dBB1jVx7gV', 'gMa1nJHtwP', 'ijp1OhA6GW', 'gYDjVUnsh4', 'wlhjhDSGDd', 'f2WjeCN9cD', 'v4FjcZ9DvL', 's5ojUXUC2X'
                      Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, N34ZcyVrqOfmOWTrfa.csHigh entropy of concatenated method names: 'yfwL67mZU3', 'WxGLFtMs0s', 'JEnLDv6x7t', 'MyNLKqDpDc', 'XciLV4PMMa', 'zLfLhq6srU', 'tyPLeVdKLO', 'xxVLcPSpo6', 'GdHLUwPjuo', 's1LLZLZ8eV'
                      Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, b2Sm9vL4O9uFZXl1qI.csHigh entropy of concatenated method names: 'qubJnJb6PA', 'wdWJOJ3QRy', 'he4J4pFIU7', 'YYKJpB6sHi', 'Ot7JkregbV', 'D5aJHy1OA6', 'SOw3tyYgg4GPke8umT', 'lGfd9E4DJBchLJSA2c', 'pOKJJG05TH', 'RHmJv7kOxw'
                      Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, TuuJmTvFVeV5mu7o3Z.csHigh entropy of concatenated method names: 'ejt1yQyC1B', 'Bm41oFVAAL', 'HrV1sDNF1V', 'tkO1S4laP7', 'NI81W3pWAw', 'gYQ1w9O65V', 'KqI1xIHSXO', 'X4J1BfM9J0', 'ldiR4XG7ARMQIAAieoc', 'zcUP3ZGQ7HfLi0NZqXJ'
                      Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, iZV0pMM4Dts6tBSOQP.csHigh entropy of concatenated method names: 'ToString', 'GXbHCrcmV3', 'YGkHTUH01B', 'tqcHM8amYg', 'BZyHI9WyrZ', 'fWXHG7m9hR', 'M52H0vAUNe', 'ySIHaJQZEo', 'xc6HmTD2Jd', 'qY6HbCmH1K'
                      Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, z74bjNPfWJrQUxpqQT.csHigh entropy of concatenated method names: 'dVplJXgTjR', 'jxKlvECBZk', 'P74lt1W1nQ', 'vtMlYIeokD', 'FRNlLDiFOf', 'zdEljquJyX', 'QV4l1PWPKK', 'w3iQer2Tfm', 'kVTQcdBePH', 'ycnQUvsY7E'
                      Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, ip1viPnI8reVhE0pgB.csHigh entropy of concatenated method names: 'WQ8nYh931Y', 'iu9nXwwIAl', 'euhn1joKk5', 'oaD1ZPx44R', 'G7W1zIvsJK', 'n72nNqVEsV', 'TrtnJn2aMO', 'pf3n3GkJUD', 'AnInvN5HLI', 'uK4ntxy0AD'
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: FVN001-230824.exe PID: 1256, type: MEMORYSTR
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\FVN001-230824.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\Desktop\FVN001-230824.exeMemory allocated: AD0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeMemory allocated: 27B0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeMemory allocated: 47B0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeMemory allocated: 6FA0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeMemory allocated: 7FA0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeMemory allocated: 8230000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeMemory allocated: 9230000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeMemory allocated: 2C80000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeMemory allocated: 2F30000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeMemory allocated: 2C80000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeWindow / User API: threadDelayed 764Jump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeWindow / User API: threadDelayed 3414Jump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 1756Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224Thread sleep time: -11068046444225724s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224Thread sleep time: -100000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7228Thread sleep count: 764 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224Thread sleep time: -99891s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7228Thread sleep count: 3414 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224Thread sleep time: -99781s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224Thread sleep time: -99672s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224Thread sleep time: -99563s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224Thread sleep time: -99453s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224Thread sleep time: -99344s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224Thread sleep time: -99235s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224Thread sleep time: -99110s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224Thread sleep time: -98985s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224Thread sleep time: -98860s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224Thread sleep time: -98735s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224Thread sleep time: -98610s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224Thread sleep time: -98485s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224Thread sleep time: -98360s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224Thread sleep time: -98235s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224Thread sleep time: -98110s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224Thread sleep time: -97985s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224Thread sleep time: -97860s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224Thread sleep time: -97735s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224Thread sleep time: -97610s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\FVN001-230824.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\FVN001-230824.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\FVN001-230824.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\FVN001-230824.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeThread delayed: delay time: 100000Jump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeThread delayed: delay time: 99891Jump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeThread delayed: delay time: 99781Jump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeThread delayed: delay time: 99672Jump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeThread delayed: delay time: 99563Jump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeThread delayed: delay time: 99453Jump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeThread delayed: delay time: 99344Jump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeThread delayed: delay time: 99235Jump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeThread delayed: delay time: 99110Jump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeThread delayed: delay time: 98985Jump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeThread delayed: delay time: 98860Jump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeThread delayed: delay time: 98735Jump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeThread delayed: delay time: 98610Jump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeThread delayed: delay time: 98485Jump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeThread delayed: delay time: 98360Jump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeThread delayed: delay time: 98235Jump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeThread delayed: delay time: 98110Jump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeThread delayed: delay time: 97985Jump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeThread delayed: delay time: 97860Jump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeThread delayed: delay time: 97735Jump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeThread delayed: delay time: 97610Jump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: FVN001-230824.exe, 00000005.00000002.2557873364.000000000103F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\FVN001-230824.exeMemory written: C:\Users\user\Desktop\FVN001-230824.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeProcess created: C:\Users\user\Desktop\FVN001-230824.exe C:\Users\user\Desktop\FVN001-230824.exeJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeQueries volume information: C:\Users\user\Desktop\FVN001-230824.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeQueries volume information: C:\Users\user\Desktop\FVN001-230824.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 5.2.FVN001-230824.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.FVN001-230824.exe.3aaf240.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.FVN001-230824.exe.3a35448.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.FVN001-230824.exe.3a35448.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.FVN001-230824.exe.3aaf240.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.2557513424.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2559950919.0000000002FAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2559950919.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.1352521735.0000000003A35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.1352521735.0000000003AAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: FVN001-230824.exe PID: 1256, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: FVN001-230824.exe PID: 1968, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Users\user\Desktop\FVN001-230824.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\Desktop\FVN001-230824.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Users\user\Desktop\FVN001-230824.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Users\user\Desktop\FVN001-230824.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: Yara matchFile source: 5.2.FVN001-230824.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.FVN001-230824.exe.3aaf240.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.FVN001-230824.exe.3a35448.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.FVN001-230824.exe.3a35448.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.FVN001-230824.exe.3aaf240.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.2557513424.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2559950919.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.1352521735.0000000003A35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.1352521735.0000000003AAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: FVN001-230824.exe PID: 1256, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: FVN001-230824.exe PID: 1968, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 5.2.FVN001-230824.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.FVN001-230824.exe.3aaf240.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.FVN001-230824.exe.3a35448.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.FVN001-230824.exe.3a35448.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.FVN001-230824.exe.3aaf240.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.2557513424.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2559950919.0000000002FAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2559950919.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.1352521735.0000000003A35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.1352521735.0000000003AAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: FVN001-230824.exe PID: 1256, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: FVN001-230824.exe PID: 1968, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		1
                      OS Credential Dumping                      		1
                      File and Directory Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Ingress Tool Transfer                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts111
                      Process Injection                      		1
                      Deobfuscate/Decode Files or Information                      		1
                      Input Capture                      		24
                      System Information Discovery                      		Remote Desktop Protocol1
                      Data from Local System                      		11
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)3
                      Obfuscated Files or Information                      		1
                      Credentials in Registry                      		111
                      Security Software Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                      Software Packing                      		NTDS1
                      Process Discovery                      		Distributed Component Object Model1
                      Input Capture                      		2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      DLL Side-Loading                      		LSA Secrets141
                      Virtualization/Sandbox Evasion                      		SSHKeylogging23
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Masquerading                      		Cached Domain Credentials1
                      Application Window Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                      Virtualization/Sandbox Evasion                      		DCSync1
                      System Network Configuration Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                      Process Injection                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      FVN001-230824.exe71%ReversingLabsWin32.Spyware.Negasteal
                      FVN001-230824.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://www.chiark.greenend.org.uk/~sgtatham/putty/00%URL Reputationsafe
                      http://smtp.pcpatelinfra.com0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      us2.smtp.mailhostbox.com
                      		208.91.198.143
                      		truefalse
                        		high
                        api.ipify.org
                        		172.67.74.152
                        		truefalse
                          		high
                          smtp.pcpatelinfra.com
                          		unknown
                          		unknowntrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://api.ipify.org/false
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://smtp.pcpatelinfra.comFVN001-230824.exe, 00000005.00000002.2559950919.0000000002FAB000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://support.mailhostbox.com/email-administrators-guide-error-codes/FVN001-230824.exe, 00000005.00000002.2559950919.0000000002FBB000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://api.ipify.orgFVN001-230824.exe, 00000002.00000002.1352521735.0000000003A35000.00000004.00000800.00020000.00000000.sdmp, FVN001-230824.exe, 00000002.00000002.1352521735.0000000003AAF000.00000004.00000800.00020000.00000000.sdmp, FVN001-230824.exe, 00000005.00000002.2557513424.0000000000402000.00000040.00000400.00020000.00000000.sdmp, FVN001-230824.exe, 00000005.00000002.2559950919.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://account.dyn.com/FVN001-230824.exe, 00000002.00000002.1352521735.0000000003A35000.00000004.00000800.00020000.00000000.sdmp, FVN001-230824.exe, 00000002.00000002.1352521735.0000000003AAF000.00000004.00000800.00020000.00000000.sdmp, FVN001-230824.exe, 00000005.00000002.2557513424.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                    		high
                                    https://api.ipify.org/tFVN001-230824.exe, 00000005.00000002.2559950919.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://us2.smtp.mailhostbox.comFVN001-230824.exe, 00000005.00000002.2559950919.0000000002FAB000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameFVN001-230824.exe, 00000005.00000002.2559950919.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.chiark.greenend.org.uk/~sgtatham/putty/0FVN001-230824.exefalse
                                          • URL Reputation: safe
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          208.91.198.143
                                          		us2.smtp.mailhostbox.comUnited States
                                          		394695PUBLIC-DOMAIN-REGISTRYUSfalse
                                          172.67.74.152
                                          		api.ipify.orgUnited States
                                          		13335CLOUDFLARENETUSfalse

                                          General Information

                                          Joe Sandbox version:40.0.0 Tourmaline
                                          Analysis ID:1410991
                                          Start date and time:2024-03-18 14:37:14 +01:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 6m 44s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:12
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:FVN001-230824.exe
                                          Detection:MAL
                                          Classification:mal100.troj.spyw.evad.winEXE@3/1@2/2
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HCA Information:
                                          • Successful, ratio: 98%
                                          • Number of executed functions: 86
                                          • Number of non-executed functions: 7
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
                                          • Excluded IPs from analysis (whitelisted): 23.206.121.22, 23.206.121.28, 23.206.121.47, 23.206.121.39, 23.206.121.52, 23.206.121.20, 172.64.149.23, 104.18.38.233
                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, crl.comodoca.com.cdn.cloudflare.net, ctldl.windowsupdate.com, crl.usertrust.com, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • VT rate limit hit for: FVN001-230824.exe

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          14:38:03API Interceptor22x Sleep call for process: FVN001-230824.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          208.91.198.143PO.exeGet hashmaliciousAgentTeslaBrowse
                                            PO m#U1edbi_#28809418.exeGet hashmaliciousAgentTeslaBrowse
                                              0317000459585_022024.exeGet hashmaliciousAgentTeslaBrowse
                                                Draft BL Copy & Shipping Documents.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                  mzRBHkLlrA.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    PDF Order no. 20242902-70611 05.03.2024. - DIV GROUP.PDF.img.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                      new order PO#-QSC240304.pdf.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                        SecuriteInfo.com.Heur.10918.30321.exeGet hashmaliciousAgentTeslaBrowse
                                                          Order nr. VEN2440_IMG.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            #1_4636233527.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                              172.67.74.152QUOTE.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                Payment TT Copy.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                  DHL Booking.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                    Quote.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                      quotation.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                        WXF_TRADING_PROFILE_2024.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                          PO1876.xlsGet hashmaliciousAgentTeslaBrowse
                                                                            VAN3065008.xlsGet hashmaliciousAgentTeslaBrowse
                                                                              rFATURA2024-001.exeGet hashmaliciousAgentTeslaBrowse
                                                                                doc.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse

                                                                                  Domains

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  us2.smtp.mailhostbox.comProforma Invoice001&002-pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 208.91.199.223
                                                                                  PO m#U1edbi_#28809466.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 208.91.199.223
                                                                                  PO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 208.91.198.143
                                                                                  DHL Receipt_ AWB#62600719881.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 208.91.199.224
                                                                                  PO m#U1edbi_#28809418.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 208.91.198.143
                                                                                  DHL_AWB#62698719881.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 208.91.199.224
                                                                                  DHL Original Shipment Document.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 208.91.199.225
                                                                                  0317000459585_022024.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 208.91.198.143
                                                                                  quote 030214839A - Toron Alim..exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                  • 208.91.199.225
                                                                                  dwvvDpsmVB.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 208.91.199.225
                                                                                  api.ipify.orgPI.1.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                  • 104.26.13.205
                                                                                  QUOTE.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                  • 172.67.74.152
                                                                                  Quotation lists.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 104.26.12.205
                                                                                  SOA FEB 2024.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 104.26.13.205
                                                                                  INVOICE.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 104.26.13.205
                                                                                  PO No.109480 Dt.18Mar2024 pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 104.26.12.205
                                                                                  Vindegade.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                  • 104.26.12.205
                                                                                  https://cdn.discordapp.com/attachments/1219079930122338327/1219193029647274034/PO_No.109480_Dt.18Mar2024_pdf.7z?ex=660a68fd&is=65f7f3fd&hm=c1267cdec3cb72a30ed3524db2c95f7e2274d988486fe24145ef7f3d03bd1e0b&Get hashmaliciousAgentTeslaBrowse
                                                                                  • 104.26.12.205
                                                                                  PO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 104.26.12.205
                                                                                  Payment TT Copy.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 172.67.74.152

                                                                                  ASNs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  PUBLIC-DOMAIN-REGISTRYUSPO234400.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 199.79.62.115
                                                                                  WZEF7aEu11.exeGet hashmaliciousUnknownBrowse
                                                                                  • 74.119.239.234
                                                                                  WZEF7aEu11.exeGet hashmaliciousUnknownBrowse
                                                                                  • 74.119.239.234
                                                                                  WZEF7aEu11.exeGet hashmaliciousUnknownBrowse
                                                                                  • 74.119.239.234
                                                                                  260224-027.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 199.79.62.115
                                                                                  WZEF7aEu11.exeGet hashmaliciousUnknownBrowse
                                                                                  • 74.119.239.234
                                                                                  https://sprl.in/wBwUGK0Get hashmaliciousUnknownBrowse
                                                                                  • 216.10.243.64
                                                                                  Proforma Invoice001&002-pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 208.91.199.223
                                                                                  PO m#U1edbi_#28809466.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 208.91.199.223
                                                                                  PO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 208.91.198.143
                                                                                  CLOUDFLARENETUSQuote.exeGet hashmaliciousFormBookBrowse
                                                                                  • 104.21.56.165
                                                                                  PI.1.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                  • 104.26.13.205
                                                                                  proforma_Invoice_0009300_74885959969_9876.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 104.21.67.152
                                                                                  QUOTE.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                  • 172.67.74.152
                                                                                  Quotation lists.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 104.26.12.205
                                                                                  SOA FEB 2024.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 104.26.13.205
                                                                                  gMCSnfJRqp.exeGet hashmaliciousFormBookBrowse
                                                                                  • 172.67.169.232
                                                                                  qPAi9IP2Ck.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                                                  • 172.67.75.166
                                                                                  https://cloudflare-ipfs.com/ipfs/bafkreif2klim7glbgcsrfe6lm7wfd2scwmhee5i6dglyggzgvjgl53zw2i/#ZHdlbnNlbEBob2xsYW5kY28uY29tGet hashmaliciousUnknownBrowse
                                                                                  • 104.17.25.14
                                                                                  https://drive.google.com/file/d/1IKxLiXVTT7OY6TeIorneTBc8KCU0p08q/view?usp=sharing#urNkDtydE8Get hashmaliciousPhisherBrowse
                                                                                  • 104.22.6.203

                                                                                  JA3 Fingerprints

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  3b5074b1b5d032e5620f69f9f700ff0ePI.1.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                  • 172.67.74.152
                                                                                  QUOTE.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                  • 172.67.74.152
                                                                                  Quotation lists.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 172.67.74.152
                                                                                  SOA FEB 2024.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 172.67.74.152
                                                                                  6000117092.exeGet hashmaliciousUnknownBrowse
                                                                                  • 172.67.74.152
                                                                                  Teklif 8822321378 .exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                  • 172.67.74.152
                                                                                  6000117092.exeGet hashmaliciousUnknownBrowse
                                                                                  • 172.67.74.152
                                                                                  https://drive.google.com/file/d/1IKxLiXVTT7OY6TeIorneTBc8KCU0p08q/view?usp=sharing#urNkDtydE8Get hashmaliciousPhisherBrowse
                                                                                  • 172.67.74.152
                                                                                  https://sprl.in/wBwUGK0Get hashmaliciousUnknownBrowse
                                                                                  • 172.67.74.152
                                                                                  https://www.casmore.comGet hashmaliciousUnknownBrowse
                                                                                  • 172.67.74.152

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Created / dropped Files

                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FVN001-230824.exe.log

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\FVN001-230824.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):1216
                                                                                  Entropy (8bit):5.34331486778365
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                  MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                  SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                  SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                  SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                  Malicious:false
                                                                                  Reputation:high, very likely benign file
                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Entropy (8bit):7.944749106969845
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                                                                                  • Win32 Executable (generic) a (10002005/4) 49.93%
                                                                                  • Windows Screen Saver (13104/52) 0.07%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                                  File name:FVN001-230824.exe
                                                                                  File size:714'248 bytes
                                                                                  MD5:f9a102868bcd7a4c6779c73d678b50e4
                                                                                  SHA1:5116f1b9a635c7c884ce558177ebe34fa5d992b0
                                                                                  SHA256:959d491cbde6323dc2bf7c377a9c1e0940b988f51a3efcc0f1bd526cc0d210b4
                                                                                  SHA512:c4b5e716af2c38d21cb11cd3fb06cb8f2c6cdeeece6a56a6cc7c999062049baa07d71661e79962bd478f9b65fd5c3d4078ead62df409f4012f698f0dc78908bc
                                                                                  SSDEEP:12288:mlM9hCaaXGx7Q6hFlcODMuNkk21MSXI+ygne0N0scCQAS4kmEJ57chCVseIkR:RUpiFlcO2MRBO0sFS4kmEJ50S
                                                                                  TLSH:B7E412857B244A87C2BDD3F1661694995FF2A0227A32DECE7CC611CE1FC5B801611F9B
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Td.e..............0.................. ........@.. ....................................@................................

                                                                                  File Icon

                                                                                  Icon Hash:6398a462a688d801

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x4ab09a
                                                                                  Entrypoint Section:.text
                                                                                  Digitally signed:true
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                  Time Stamp:0x65F26454 [Thu Mar 14 02:43:32 2024 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:4
                                                                                  OS Version Minor:0
                                                                                  File Version Major:4
                                                                                  File Version Minor:0
                                                                                  Subsystem Version Major:4
                                                                                  Subsystem Version Minor:0
                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                  Authenticode Signature

                                                                                  Signature Valid:false
                                                                                  Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                                                                  Signature Validation Error:The digital signature of the object did not verify
                                                                                  Error Number:-2146869232
                                                                                  Not Before, Not After
                                                                                  • 13/11/2018 00:00:00 08/11/2021 23:59:59
                                                                                  Subject Chain
                                                                                  • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                                                                  Version:3
                                                                                  Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                                                                  Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                                                                  Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                                                                  Serial:7C1118CBBADC95DA3752C46E47A27438

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  jmp dword ptr [00402000h]
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xab0480x4f.text
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xac0000x1868.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0xab0000x3608
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xae0000xc.reloc
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0xa94140x54.text
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x20000xa90a00xa9200d77028f5a24ac982704252ff78834eb3False0.9481274251662971data7.9530705368610946IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                  .rsrc0xac0000x18680x1a0019482ca8b08a44f2d5ea84f87e9c40c8False0.7814002403846154data6.935638367331726IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .reloc0xae0000xc0x200a4318e422c60c2f30321ec4e0e0f8deeFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                  Resources

                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                  RT_ICON0xac0c80x13f1PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9224289911851127
                                                                                  RT_GROUP_ICON0xad4cc0x14data1.05
                                                                                  RT_VERSION0xad4f00x374data0.416289592760181

                                                                                  Imports

                                                                                  DLLImport
                                                                                  mscoree.dll_CorExeMain

                                                                                  Network Behavior

                                                                                  Snort IDS Alerts

                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                  03/18/24-14:38:09.012313TCP2855542ETPRO TROJAN Agent Tesla CnC Exfil Activity49713587192.168.2.9208.91.198.143
                                                                                  03/18/24-14:38:09.012313TCP2855245ETPRO TROJAN Agent Tesla Exfil via SMTP49713587192.168.2.9208.91.198.143
                                                                                  03/18/24-14:38:09.012313TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249713587192.168.2.9208.91.198.143
                                                                                  03/18/24-14:38:09.012313TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49713587192.168.2.9208.91.198.143
                                                                                  03/18/24-14:38:09.012229TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49713587192.168.2.9208.91.198.143

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Mar 18, 2024 14:38:05.286289930 CET49711443192.168.2.9172.67.74.152
                                                                                  Mar 18, 2024 14:38:05.286329985 CET44349711172.67.74.152192.168.2.9
                                                                                  Mar 18, 2024 14:38:05.286425114 CET49711443192.168.2.9172.67.74.152
                                                                                  Mar 18, 2024 14:38:05.296170950 CET49711443192.168.2.9172.67.74.152
                                                                                  Mar 18, 2024 14:38:05.296189070 CET44349711172.67.74.152192.168.2.9
                                                                                  Mar 18, 2024 14:38:05.786761045 CET44349711172.67.74.152192.168.2.9
                                                                                  Mar 18, 2024 14:38:05.786858082 CET49711443192.168.2.9172.67.74.152
                                                                                  Mar 18, 2024 14:38:05.793766022 CET49711443192.168.2.9172.67.74.152
                                                                                  Mar 18, 2024 14:38:05.793778896 CET44349711172.67.74.152192.168.2.9
                                                                                  Mar 18, 2024 14:38:05.794106960 CET44349711172.67.74.152192.168.2.9
                                                                                  Mar 18, 2024 14:38:05.852689028 CET49711443192.168.2.9172.67.74.152
                                                                                  Mar 18, 2024 14:38:05.989945889 CET49711443192.168.2.9172.67.74.152
                                                                                  Mar 18, 2024 14:38:06.036237955 CET44349711172.67.74.152192.168.2.9
                                                                                  Mar 18, 2024 14:38:06.150305986 CET44349711172.67.74.152192.168.2.9
                                                                                  Mar 18, 2024 14:38:06.150373936 CET44349711172.67.74.152192.168.2.9
                                                                                  Mar 18, 2024 14:38:06.150444031 CET49711443192.168.2.9172.67.74.152
                                                                                  Mar 18, 2024 14:38:06.158384085 CET49711443192.168.2.9172.67.74.152
                                                                                  Mar 18, 2024 14:38:07.366882086 CET49713587192.168.2.9208.91.198.143
                                                                                  Mar 18, 2024 14:38:07.540460110 CET58749713208.91.198.143192.168.2.9
                                                                                  Mar 18, 2024 14:38:07.540565014 CET49713587192.168.2.9208.91.198.143
                                                                                  Mar 18, 2024 14:38:07.928613901 CET58749713208.91.198.143192.168.2.9
                                                                                  Mar 18, 2024 14:38:07.928845882 CET49713587192.168.2.9208.91.198.143
                                                                                  Mar 18, 2024 14:38:08.102391958 CET58749713208.91.198.143192.168.2.9
                                                                                  Mar 18, 2024 14:38:08.104599953 CET58749713208.91.198.143192.168.2.9
                                                                                  Mar 18, 2024 14:38:08.105515957 CET49713587192.168.2.9208.91.198.143
                                                                                  Mar 18, 2024 14:38:08.281665087 CET58749713208.91.198.143192.168.2.9
                                                                                  Mar 18, 2024 14:38:08.282567024 CET49713587192.168.2.9208.91.198.143
                                                                                  Mar 18, 2024 14:38:08.461294889 CET58749713208.91.198.143192.168.2.9
                                                                                  Mar 18, 2024 14:38:08.461508036 CET49713587192.168.2.9208.91.198.143
                                                                                  Mar 18, 2024 14:38:08.637171984 CET58749713208.91.198.143192.168.2.9
                                                                                  Mar 18, 2024 14:38:08.637360096 CET49713587192.168.2.9208.91.198.143
                                                                                  Mar 18, 2024 14:38:08.836431980 CET58749713208.91.198.143192.168.2.9
                                                                                  Mar 18, 2024 14:38:08.836587906 CET49713587192.168.2.9208.91.198.143
                                                                                  Mar 18, 2024 14:38:09.011492014 CET58749713208.91.198.143192.168.2.9
                                                                                  Mar 18, 2024 14:38:09.012228966 CET49713587192.168.2.9208.91.198.143
                                                                                  Mar 18, 2024 14:38:09.012312889 CET49713587192.168.2.9208.91.198.143
                                                                                  Mar 18, 2024 14:38:09.012367010 CET49713587192.168.2.9208.91.198.143
                                                                                  Mar 18, 2024 14:38:09.012398958 CET49713587192.168.2.9208.91.198.143
                                                                                  Mar 18, 2024 14:38:09.185693979 CET58749713208.91.198.143192.168.2.9
                                                                                  Mar 18, 2024 14:38:09.185767889 CET58749713208.91.198.143192.168.2.9
                                                                                  Mar 18, 2024 14:38:09.202528000 CET58749713208.91.198.143192.168.2.9
                                                                                  Mar 18, 2024 14:38:09.208955050 CET49713587192.168.2.9208.91.198.143
                                                                                  Mar 18, 2024 14:38:09.383722067 CET58749713208.91.198.143192.168.2.9
                                                                                  Mar 18, 2024 14:38:09.383790970 CET49713587192.168.2.9208.91.198.143

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Mar 18, 2024 14:38:05.186239958 CET5945853192.168.2.91.1.1.1
                                                                                  Mar 18, 2024 14:38:05.274614096 CET53594581.1.1.1192.168.2.9
                                                                                  Mar 18, 2024 14:38:06.795964003 CET6309253192.168.2.91.1.1.1
                                                                                  Mar 18, 2024 14:38:07.364850044 CET53630921.1.1.1192.168.2.9

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  Mar 18, 2024 14:38:05.186239958 CET192.168.2.91.1.1.10x7020Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                  Mar 18, 2024 14:38:06.795964003 CET192.168.2.91.1.1.10x4eeeStandard query (0)smtp.pcpatelinfra.comA (IP address)IN (0x0001)false

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  Mar 18, 2024 14:38:05.274614096 CET1.1.1.1192.168.2.90x7020No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                                  Mar 18, 2024 14:38:05.274614096 CET1.1.1.1192.168.2.90x7020No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                                  Mar 18, 2024 14:38:05.274614096 CET1.1.1.1192.168.2.90x7020No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                                  Mar 18, 2024 14:38:07.364850044 CET1.1.1.1192.168.2.90x4eeeNo error (0)smtp.pcpatelinfra.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)false
                                                                                  Mar 18, 2024 14:38:07.364850044 CET1.1.1.1192.168.2.90x4eeeNo error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)false
                                                                                  Mar 18, 2024 14:38:07.364850044 CET1.1.1.1192.168.2.90x4eeeNo error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)false
                                                                                  Mar 18, 2024 14:38:07.364850044 CET1.1.1.1192.168.2.90x4eeeNo error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)false
                                                                                  Mar 18, 2024 14:38:07.364850044 CET1.1.1.1192.168.2.90x4eeeNo error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)false

                                                                                  HTTP Request Dependency Graph

                                                                                  • api.ipify.org

                                                                                  HTTPS Proxied Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  0192.168.2.949711172.67.74.1524431968C:\Users\user\Desktop\FVN001-230824.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-03-18 13:38:05 UTC155OUTGET / HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                  Host: api.ipify.org
                                                                                  Connection: Keep-Alive
                                                                                  2024-03-18 13:38:06 UTC211INHTTP/1.1 200 OK
                                                                                  Date: Mon, 18 Mar 2024 13:38:06 GMT
                                                                                  Content-Type: text/plain
                                                                                  Content-Length: 14
                                                                                  Connection: close
                                                                                  Vary: Origin
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 86659f03beed0f95-EWR
                                                                                  2024-03-18 13:38:06 UTC14INData Raw: 31 39 31 2e 39 36 2e 32 32 37 2e 31 39 34
                                                                                  Data Ascii: 191.96.227.194


                                                                                  SMTP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                                                  Mar 18, 2024 14:38:07.928613901 CET58749713208.91.198.143192.168.2.9220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                  Mar 18, 2024 14:38:07.928845882 CET49713587192.168.2.9208.91.198.143EHLO 123716
                                                                                  Mar 18, 2024 14:38:08.104599953 CET58749713208.91.198.143192.168.2.9250-us2.outbound.mailhostbox.com
                                                                                  250-PIPELINING
                                                                                  250-SIZE 41648128
                                                                                  250-VRFY
                                                                                  250-ETRN
                                                                                  250-STARTTLS
                                                                                  250-AUTH PLAIN LOGIN
                                                                                  250-AUTH=PLAIN LOGIN
                                                                                  250-ENHANCEDSTATUSCODES
                                                                                  250-8BITMIME
                                                                                  250-DSN
                                                                                  250 CHUNKING
                                                                                  Mar 18, 2024 14:38:08.105515957 CET49713587192.168.2.9208.91.198.143AUTH login YmFybWVyLnN0b3JlQHBjcGF0ZWxpbmZyYS5jb20=
                                                                                  Mar 18, 2024 14:38:08.281665087 CET58749713208.91.198.143192.168.2.9334 UGFzc3dvcmQ6
                                                                                  Mar 18, 2024 14:38:08.461294889 CET58749713208.91.198.143192.168.2.9235 2.7.0 Authentication successful
                                                                                  Mar 18, 2024 14:38:08.461508036 CET49713587192.168.2.9208.91.198.143MAIL FROM:<barmer.store@pcpatelinfra.com>
                                                                                  Mar 18, 2024 14:38:08.637171984 CET58749713208.91.198.143192.168.2.9250 2.1.0 Ok
                                                                                  Mar 18, 2024 14:38:08.637360096 CET49713587192.168.2.9208.91.198.143RCPT TO:<jaredjames452@gmail.com>
                                                                                  Mar 18, 2024 14:38:08.836431980 CET58749713208.91.198.143192.168.2.9250 2.1.5 Ok
                                                                                  Mar 18, 2024 14:38:08.836587906 CET49713587192.168.2.9208.91.198.143DATA
                                                                                  Mar 18, 2024 14:38:09.011492014 CET58749713208.91.198.143192.168.2.9354 End data with <CR><LF>.<CR><LF>
                                                                                  Mar 18, 2024 14:38:09.012398958 CET49713587192.168.2.9208.91.198.143.
                                                                                  Mar 18, 2024 14:38:09.202528000 CET58749713208.91.198.143192.168.2.9550 5.7.1 This message is rejected by our SPAM filters. Please refer http://support.mailhostbox.com/email-administrators-guide-error-codes/ for more information

                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:2
                                                                                  Start time:14:38:01
                                                                                  Start date:18/03/2024
                                                                                  Path:C:\Users\user\Desktop\FVN001-230824.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Users\user\Desktop\FVN001-230824.exe
                                                                                  Imagebase:0x3b0000
                                                                                  File size:714'248 bytes
                                                                                  MD5 hash:F9A102868BCD7A4C6779C73D678B50E4
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1352521735.0000000003A35000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.1352521735.0000000003A35000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1352521735.0000000003AAF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.1352521735.0000000003AAF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:5
                                                                                  Start time:14:38:03
                                                                                  Start date:18/03/2024
                                                                                  Path:C:\Users\user\Desktop\FVN001-230824.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Users\user\Desktop\FVN001-230824.exe
                                                                                  Imagebase:0xad0000
                                                                                  File size:714'248 bytes
                                                                                  MD5 hash:F9A102868BCD7A4C6779C73D678B50E4
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2557513424.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2557513424.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2559950919.0000000002FAB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2559950919.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2559950919.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:low
                                                                                  Has exited:false

                                                                                  Disassembly

                                                                                  Reset < >

                                                                                    Execution Graph

                                                                                    Execution Coverage:10.1%
                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                    Signature Coverage:0%
                                                                                    Total number of Nodes:213
                                                                                    Total number of Limit Nodes:13
                                                                                    execution_graph 19274 4813f71 19275 4813c9e 19274->19275 19276 4813cbb 19275->19276 19279 4814fd8 19275->19279 19298 4814fe8 19275->19298 19280 4814fdc 19279->19280 19285 4815026 19280->19285 19317 48153f4 19280->19317 19323 4815ab5 19280->19323 19328 4815e35 19280->19328 19333 4815591 19280->19333 19338 48156ee 19280->19338 19342 481556f 19280->19342 19347 48157e8 19280->19347 19352 4815789 19280->19352 19357 4815727 19280->19357 19362 48156c4 19280->19362 19367 4815845 19280->19367 19372 4815bc2 19280->19372 19377 4815a22 19280->19377 19382 48155a3 19280->19382 19387 48158c3 19280->19387 19392 481561c 19280->19392 19285->19276 19299 4815002 19298->19299 19300 4815026 19299->19300 19301 48158c3 2 API calls 19299->19301 19302 48155a3 2 API calls 19299->19302 19303 4815a22 2 API calls 19299->19303 19304 4815bc2 2 API calls 19299->19304 19305 4815845 2 API calls 19299->19305 19306 48156c4 2 API calls 19299->19306 19307 4815727 2 API calls 19299->19307 19308 4815789 2 API calls 19299->19308 19309 48157e8 2 API calls 19299->19309 19310 481556f 2 API calls 19299->19310 19311 48156ee 2 API calls 19299->19311 19312 4815591 2 API calls 19299->19312 19313 4815e35 2 API calls 19299->19313 19314 4815ab5 2 API calls 19299->19314 19315 48153f4 2 API calls 19299->19315 19316 481561c 2 API calls 19299->19316 19300->19276 19301->19300 19302->19300 19303->19300 19304->19300 19305->19300 19306->19300 19307->19300 19308->19300 19309->19300 19310->19300 19311->19300 19312->19300 19313->19300 19314->19300 19315->19300 19316->19300 19319 48153fa 19317->19319 19318 48154bf 19318->19285 19319->19318 19397 4813888 19319->19397 19401 481387c 19319->19401 19320 4815509 19324 4815ac2 19323->19324 19405 4813600 19324->19405 19409 48135f9 19324->19409 19325 4815bfa 19329 4815e36 19328->19329 19413 48136f0 19329->19413 19417 48136e8 19329->19417 19330 4815e5b 19334 48159ad 19333->19334 19336 4813600 WriteProcessMemory 19334->19336 19337 48135f9 WriteProcessMemory 19334->19337 19335 4815531 19336->19335 19337->19335 19421 4813030 19338->19421 19425 4813028 19338->19425 19339 4815708 19339->19285 19343 4815e36 19342->19343 19345 48136f0 ReadProcessMemory 19343->19345 19346 48136e8 ReadProcessMemory 19343->19346 19344 4815e5b 19345->19344 19346->19344 19348 48157f5 19347->19348 19430 4812f80 19348->19430 19434 4812f78 19348->19434 19349 4815afe 19353 4815cdb 19352->19353 19355 4813030 Wow64SetThreadContext 19353->19355 19356 4813028 Wow64SetThreadContext 19353->19356 19354 4815cf6 19355->19354 19356->19354 19358 48158cb 19357->19358 19438 4813540 19358->19438 19442 4813538 19358->19442 19359 48158e9 19363 48155eb 19362->19363 19364 48157cf 19363->19364 19365 4813600 WriteProcessMemory 19363->19365 19366 48135f9 WriteProcessMemory 19363->19366 19364->19285 19365->19363 19366->19363 19368 48155ba 19367->19368 19370 4812f80 ResumeThread 19368->19370 19371 4812f78 ResumeThread 19368->19371 19369 4815afe 19369->19369 19370->19369 19371->19369 19373 4815bc8 19372->19373 19375 4813600 WriteProcessMemory 19373->19375 19376 48135f9 WriteProcessMemory 19373->19376 19374 4815bfa 19375->19374 19376->19374 19378 48159ad 19377->19378 19380 4813600 WriteProcessMemory 19378->19380 19381 48135f9 WriteProcessMemory 19378->19381 19379 4815531 19380->19379 19381->19379 19383 48155a9 19382->19383 19385 4812f80 ResumeThread 19383->19385 19386 4812f78 ResumeThread 19383->19386 19384 4815afe 19385->19384 19386->19384 19388 48158cb 19387->19388 19390 4813540 VirtualAllocEx 19388->19390 19391 4813538 VirtualAllocEx 19388->19391 19389 48158e9 19390->19389 19391->19389 19395 4813600 WriteProcessMemory 19392->19395 19396 48135f9 WriteProcessMemory 19392->19396 19393 48155eb 19393->19392 19394 48157cf 19393->19394 19394->19285 19395->19393 19396->19393 19398 4813911 CreateProcessA 19397->19398 19400 4813ad3 19398->19400 19400->19400 19402 481388a CreateProcessA 19401->19402 19404 4813ad3 19402->19404 19404->19404 19406 4813648 WriteProcessMemory 19405->19406 19408 481369f 19406->19408 19408->19325 19410 4813648 WriteProcessMemory 19409->19410 19412 481369f 19410->19412 19412->19325 19414 481373b ReadProcessMemory 19413->19414 19416 481377f 19414->19416 19416->19330 19418 48136ec ReadProcessMemory 19417->19418 19420 481377f 19418->19420 19420->19330 19422 4813075 Wow64SetThreadContext 19421->19422 19424 48130bd 19422->19424 19424->19339 19426 481302c 19425->19426 19427 4813012 19426->19427 19428 4813095 Wow64SetThreadContext 19426->19428 19427->19339 19429 48130bd 19428->19429 19429->19339 19431 4812fc0 ResumeThread 19430->19431 19433 4812ff1 19431->19433 19433->19349 19435 4812f7c ResumeThread 19434->19435 19437 4812ff1 19435->19437 19437->19349 19439 4813580 VirtualAllocEx 19438->19439 19441 48135bd 19439->19441 19441->19359 19443 481353c VirtualAllocEx 19442->19443 19445 48135bd 19443->19445 19445->19359 19168 ad4668 19169 ad4672 19168->19169 19173 ad4758 19168->19173 19178 ad4204 19169->19178 19171 ad468d 19174 ad477d 19173->19174 19182 ad4868 19174->19182 19186 ad4858 19174->19186 19179 ad420f 19178->19179 19194 ad5e30 19179->19194 19181 ad73b4 19181->19171 19184 ad488f 19182->19184 19183 ad496c 19183->19183 19184->19183 19190 ad44f0 19184->19190 19188 ad488f 19186->19188 19187 ad496c 19187->19187 19188->19187 19189 ad44f0 CreateActCtxA 19188->19189 19189->19187 19191 ad58f8 CreateActCtxA 19190->19191 19193 ad59bb 19191->19193 19193->19193 19195 ad5e3b 19194->19195 19198 ad7274 19195->19198 19197 ad74d5 19197->19181 19199 ad727f 19198->19199 19202 ad72a4 19199->19202 19201 ad75ba 19201->19197 19203 ad72af 19202->19203 19206 ad72d4 19203->19206 19205 ad76ad 19205->19201 19207 ad72df 19206->19207 19208 ad8c0b 19207->19208 19210 adb2c0 19207->19210 19208->19205 19214 adb2e8 19210->19214 19218 adb2f8 19210->19218 19211 adb2d6 19211->19208 19215 adb2f8 19214->19215 19221 adb3e0 19215->19221 19216 adb307 19216->19211 19220 adb3e0 2 API calls 19218->19220 19219 adb307 19219->19211 19220->19219 19222 adb401 19221->19222 19223 adb424 19221->19223 19222->19223 19229 adb679 19222->19229 19233 adb688 19222->19233 19223->19216 19224 adb41c 19224->19223 19225 adb628 GetModuleHandleW 19224->19225 19226 adb655 19225->19226 19226->19216 19230 adb688 19229->19230 19232 adb6c1 19230->19232 19237 adae28 19230->19237 19232->19224 19234 adb69c 19233->19234 19235 adae28 LoadLibraryExW 19234->19235 19236 adb6c1 19234->19236 19235->19236 19236->19224 19238 adb868 LoadLibraryExW 19237->19238 19240 adb8e1 19238->19240 19240->19232 19253 add678 19254 add6be GetCurrentProcess 19253->19254 19256 add709 19254->19256 19257 add710 GetCurrentThread 19254->19257 19256->19257 19258 add74d GetCurrentProcess 19257->19258 19259 add746 19257->19259 19260 add783 GetCurrentThreadId 19258->19260 19259->19258 19262 add7dc 19260->19262 19263 48161d8 19264 4816363 19263->19264 19265 48161fe 19263->19265 19265->19264 19267 4814330 19265->19267 19268 4816458 PostMessageW 19267->19268 19269 48164c4 19268->19269 19269->19265 19270 48176a8 FindCloseChangeNotification 19271 481770f 19270->19271 19241 add560 19243 add56d 19241->19243 19242 add5a7 19243->19242 19245 adce88 19243->19245 19246 adce93 19245->19246 19247 addeb8 19246->19247 19249 adcfb4 19246->19249 19250 adcfbf 19249->19250 19251 ad72d4 2 API calls 19250->19251 19252 addf27 19251->19252 19252->19247 19272 add8c0 DuplicateHandle 19273 add956 19272->19273

                                                                                    Executed Functions

                                                                                    Function 048167C0 Relevance: .3, Instructions: 347COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1353569046.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_4810000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 64e36bbcb091eb572a6c0b3d56d6ae2432078751c494a36855ad83e2070b14bb
                                                                                    • Instruction ID: 99c0bf7d6a3b91d3fb407203f9ef75163f2251607e20792a5fe3e89a59524d0c
                                                                                    • Opcode Fuzzy Hash: 64e36bbcb091eb572a6c0b3d56d6ae2432078751c494a36855ad83e2070b14bb
                                                                                    • Instruction Fuzzy Hash: 51D1BD317017008FDB25DB75C560BAAB7FAAF89700F14896ED186DB3A1EB35E901CB12
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00AD4AE0 Relevance: .1, Instructions: 115COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1350808487.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_ad0000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: aacd50376ab9942a4fee043b93f8764f255cf2c03daa145df9328d6c19bf18e2
                                                                                    • Instruction ID: 30ab009565bcbe7da39e258edccaed11aaf6f665498a400ebbda6094d8793c4e
                                                                                    • Opcode Fuzzy Hash: aacd50376ab9942a4fee043b93f8764f255cf2c03daa145df9328d6c19bf18e2
                                                                                    • Instruction Fuzzy Hash: E741F52352CAD18BC725CE398826196FBF0AB27239709838AE5B45F3E6D664DCC1C345
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 048157A2 Relevance: .0, Instructions: 18COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1353569046.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_4810000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4159364cc2645602122c2a1ccc345251f1d2a08ab889ef943c1c4ceaf2ba380e
                                                                                    • Instruction ID: 246654cb307bbfd0191a8c5d7b7b817e71748fc98c7df1123b61e34faa0e3261
                                                                                    • Opcode Fuzzy Hash: 4159364cc2645602122c2a1ccc345251f1d2a08ab889ef943c1c4ceaf2ba380e
                                                                                    • Instruction Fuzzy Hash: 83D01274E0D21CDEC750CF50D4885B8B7BCAB8B308F003952948DD3222EA70A4C0DE00
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00ADD678 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32 ref: 00ADD6F6
                                                                                    • GetCurrentThread.KERNEL32 ref: 00ADD733
                                                                                    • GetCurrentProcess.KERNEL32 ref: 00ADD770
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00ADD7C9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1350808487.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_ad0000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID: Current$ProcessThread
                                                                                    • String ID:
                                                                                    • API String ID: 2063062207-0
                                                                                    • Opcode ID: e1590e83c6b15bba71ccdabe276d5e8263fe615aab14c19217554fd98463ae7e
                                                                                    • Instruction ID: 4202f73c144daa6f14c202d8ac583966365b01267aa0a21647091bc378add290
                                                                                    • Opcode Fuzzy Hash: e1590e83c6b15bba71ccdabe276d5e8263fe615aab14c19217554fd98463ae7e
                                                                                    • Instruction Fuzzy Hash: D05146B09017498FDB14CFAAD688B9EBBF1FF88314F20845AE409A7390D7759944CF65
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0481387C Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 21 481387c-481391d 24 4813956-4813976 21->24 25 481391f-4813929 21->25 32 4813978-4813982 24->32 33 48139af-48139de 24->33 25->24 26 481392b-481392d 25->26 27 4813950-4813953 26->27 28 481392f-4813939 26->28 27->24 30 481393b 28->30 31 481393d-481394c 28->31 30->31 31->31 34 481394e 31->34 32->33 35 4813984-4813986 32->35 39 48139e0-48139ea 33->39 40 4813a17-4813ad1 CreateProcessA 33->40 34->27 37 48139a9-48139ac 35->37 38 4813988-4813992 35->38 37->33 41 4813994 38->41 42 4813996-48139a5 38->42 39->40 44 48139ec-48139ee 39->44 53 4813ad3-4813ad9 40->53 54 4813ada-4813b60 40->54 41->42 42->42 43 48139a7 42->43 43->37 45 4813a11-4813a14 44->45 46 48139f0-48139fa 44->46 45->40 48 48139fc 46->48 49 48139fe-4813a0d 46->49 48->49 49->49 51 4813a0f 49->51 51->45 53->54 64 4813b70-4813b74 54->64 65 4813b62-4813b66 54->65 67 4813b84-4813b88 64->67 68 4813b76-4813b7a 64->68 65->64 66 4813b68 65->66 66->64 70 4813b98-4813b9c 67->70 71 4813b8a-4813b8e 67->71 68->67 69 4813b7c 68->69 69->67 73 4813bae-4813bb5 70->73 74 4813b9e-4813ba4 70->74 71->70 72 4813b90 71->72 72->70 75 4813bb7-4813bc6 73->75 76 4813bcc 73->76 74->73 75->76 78 4813bcd 76->78 78->78
                                                                                    APIs
                                                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04813ABE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1353569046.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_4810000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateProcess
                                                                                    • String ID:
                                                                                    • API String ID: 963392458-0
                                                                                    • Opcode ID: 1e06bf15f948ecbde7de1f652ec14a8a1da81671ea88e60a29a52dfd69435033
                                                                                    • Instruction ID: 0814595aa0fe04f9acb0bdc09a59995beb406ed64990240a14af51bb89ae5190
                                                                                    • Opcode Fuzzy Hash: 1e06bf15f948ecbde7de1f652ec14a8a1da81671ea88e60a29a52dfd69435033
                                                                                    • Instruction Fuzzy Hash: B2917C71D003199FEB11CF68C841BDEBBB6BF45314F148AAAD809E7290DB74A985CF91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04813888 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 79 4813888-481391d 81 4813956-4813976 79->81 82 481391f-4813929 79->82 89 4813978-4813982 81->89 90 48139af-48139de 81->90 82->81 83 481392b-481392d 82->83 84 4813950-4813953 83->84 85 481392f-4813939 83->85 84->81 87 481393b 85->87 88 481393d-481394c 85->88 87->88 88->88 91 481394e 88->91 89->90 92 4813984-4813986 89->92 96 48139e0-48139ea 90->96 97 4813a17-4813ad1 CreateProcessA 90->97 91->84 94 48139a9-48139ac 92->94 95 4813988-4813992 92->95 94->90 98 4813994 95->98 99 4813996-48139a5 95->99 96->97 101 48139ec-48139ee 96->101 110 4813ad3-4813ad9 97->110 111 4813ada-4813b60 97->111 98->99 99->99 100 48139a7 99->100 100->94 102 4813a11-4813a14 101->102 103 48139f0-48139fa 101->103 102->97 105 48139fc 103->105 106 48139fe-4813a0d 103->106 105->106 106->106 108 4813a0f 106->108 108->102 110->111 121 4813b70-4813b74 111->121 122 4813b62-4813b66 111->122 124 4813b84-4813b88 121->124 125 4813b76-4813b7a 121->125 122->121 123 4813b68 122->123 123->121 127 4813b98-4813b9c 124->127 128 4813b8a-4813b8e 124->128 125->124 126 4813b7c 125->126 126->124 130 4813bae-4813bb5 127->130 131 4813b9e-4813ba4 127->131 128->127 129 4813b90 128->129 129->127 132 4813bb7-4813bc6 130->132 133 4813bcc 130->133 131->130 132->133 135 4813bcd 133->135 135->135
                                                                                    APIs
                                                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04813ABE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1353569046.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_4810000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateProcess
                                                                                    • String ID:
                                                                                    • API String ID: 963392458-0
                                                                                    • Opcode ID: eec48e2d9d50635c1a26ec7b3e6014f185f9a4a2e4a323e3c50ed1248a54ff80
                                                                                    • Instruction ID: ac3893e9c8e2f591ee145a13fda62d88cdfe933cefc69fd2fa3e0ccf4cf8b22b
                                                                                    • Opcode Fuzzy Hash: eec48e2d9d50635c1a26ec7b3e6014f185f9a4a2e4a323e3c50ed1248a54ff80
                                                                                    • Instruction Fuzzy Hash: 66917C71D003199FEB11CF68C841BDEBBB6BF45314F148AAAD809E7290DB74A985CF91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00ADB3E0 Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 136 adb3e0-adb3ff 137 adb42b-adb42f 136->137 138 adb401-adb40e call adadc4 136->138 139 adb431-adb43b 137->139 140 adb443-adb484 137->140 145 adb424 138->145 146 adb410 138->146 139->140 147 adb486-adb48e 140->147 148 adb491-adb49f 140->148 145->137 191 adb416 call adb679 146->191 192 adb416 call adb688 146->192 147->148 149 adb4a1-adb4a6 148->149 150 adb4c3-adb4c5 148->150 153 adb4a8-adb4af call adadd0 149->153 154 adb4b1 149->154 152 adb4c8-adb4cf 150->152 151 adb41c-adb41e 151->145 155 adb560-adb620 151->155 156 adb4dc-adb4e3 152->156 157 adb4d1-adb4d9 152->157 159 adb4b3-adb4c1 153->159 154->159 186 adb628-adb653 GetModuleHandleW 155->186 187 adb622-adb625 155->187 160 adb4e5-adb4ed 156->160 161 adb4f0-adb4f9 call adade0 156->161 157->156 159->152 160->161 167 adb4fb-adb503 161->167 168 adb506-adb50b 161->168 167->168 169 adb50d-adb514 168->169 170 adb529-adb536 168->170 169->170 172 adb516-adb526 call adadf0 call adae00 169->172 176 adb559-adb55f 170->176 177 adb538-adb556 170->177 172->170 177->176 188 adb65c-adb670 186->188 189 adb655-adb65b 186->189 187->186 189->188 191->151 192->151
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00ADB646
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1350808487.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_ad0000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleModule
                                                                                    • String ID:
                                                                                    • API String ID: 4139908857-0
                                                                                    • Opcode ID: c4da40566e7841565a3f5ce631e7514508b55a5fbb2cfbd6fa286217c67e1535
                                                                                    • Instruction ID: 27964f7f0909a38cab0e43c0668f4d4f636e749be100a4c346bccae8aeffa8d6
                                                                                    • Opcode Fuzzy Hash: c4da40566e7841565a3f5ce631e7514508b55a5fbb2cfbd6fa286217c67e1535
                                                                                    • Instruction Fuzzy Hash: 8F8123B0A00B45CFDB24CF29D14579ABBF1BF89300F108A2AD48ADBB51D774E945CBA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00AD58ED Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 193 ad58ed-ad58f6 194 ad58f8-ad59b9 CreateActCtxA 193->194 196 ad59bb-ad59c1 194->196 197 ad59c2-ad5a1c 194->197 196->197 204 ad5a1e-ad5a21 197->204 205 ad5a2b-ad5a2f 197->205 204->205 206 ad5a31-ad5a3d 205->206 207 ad5a40 205->207 206->207 209 ad5a41 207->209 209->209
                                                                                    APIs
                                                                                    • CreateActCtxA.KERNEL32(?), ref: 00AD59A9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1350808487.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_ad0000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID: Create
                                                                                    • String ID:
                                                                                    • API String ID: 2289755597-0
                                                                                    • Opcode ID: 8e0ac32ebb7e4b6b3b397e7c1fd4d1fcb619a71c3e4066a9d99dbec3a6e1e721
                                                                                    • Instruction ID: 518d8291b093c198df6bd6af6719fee41b8eb740318c5afec9502d9161967506
                                                                                    • Opcode Fuzzy Hash: 8e0ac32ebb7e4b6b3b397e7c1fd4d1fcb619a71c3e4066a9d99dbec3a6e1e721
                                                                                    • Instruction Fuzzy Hash: 2E41C2B1C01B19CFEB14CFA9C884B8EFBB5BF49304F20816AD419AB251DB756946CF50
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00AD44F0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 210 ad44f0-ad59b9 CreateActCtxA 213 ad59bb-ad59c1 210->213 214 ad59c2-ad5a1c 210->214 213->214 221 ad5a1e-ad5a21 214->221 222 ad5a2b-ad5a2f 214->222 221->222 223 ad5a31-ad5a3d 222->223 224 ad5a40 222->224 223->224 226 ad5a41 224->226 226->226
                                                                                    APIs
                                                                                    • CreateActCtxA.KERNEL32(?), ref: 00AD59A9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1350808487.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_ad0000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID: Create
                                                                                    • String ID:
                                                                                    • API String ID: 2289755597-0
                                                                                    • Opcode ID: 8a89586007ba31425d4f9f69a603a6c0a42090f3dac2596615015b280ae48838
                                                                                    • Instruction ID: 3c06fbb98b5deb6642a3dd0075d728bc5b5e2d901be79ace1bc2918c2560af17
                                                                                    • Opcode Fuzzy Hash: 8a89586007ba31425d4f9f69a603a6c0a42090f3dac2596615015b280ae48838
                                                                                    • Instruction Fuzzy Hash: E341D2B0C00B29CFDB24CFA9C844B9EFBB5BF49304F20816AD419AB251DB756945CF90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04813028 Relevance: 1.6, APIs: 1, Instructions: 74threadCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 227 4813028-481302a 228 4813030-481307b 227->228 229 481302c 227->229 233 481308b-48130bb Wow64SetThreadContext 228->233 234 481307d-4813089 228->234 230 4813012-481301d 229->230 231 481302e 229->231 231->228 236 48130c4-48130f4 233->236 237 48130bd-48130c3 233->237 234->233 237->236
                                                                                    APIs
                                                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 048130AE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1353569046.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_4810000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID: ContextThreadWow64
                                                                                    • String ID:
                                                                                    • API String ID: 983334009-0
                                                                                    • Opcode ID: 0834ca11754e52c14778bc07f91a017fdc985fb03c1ae04e384b05fbd15f51e8
                                                                                    • Instruction ID: b972de88d9cc50c1687ffa3837c07e28dc36af8b379befaa3afa99823d1f2a1a
                                                                                    • Opcode Fuzzy Hash: 0834ca11754e52c14778bc07f91a017fdc985fb03c1ae04e384b05fbd15f51e8
                                                                                    • Instruction Fuzzy Hash: F6218DB6D103088FEB10DFAAC4417EEBBF4EF48324F14842AD509A7250C779A545CB91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 048135F9 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 241 48135f9-481364e 243 4813650-481365c 241->243 244 481365e-481369d WriteProcessMemory 241->244 243->244 246 48136a6-48136d6 244->246 247 481369f-48136a5 244->247 247->246
                                                                                    APIs
                                                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04813690
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1353569046.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_4810000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID: MemoryProcessWrite
                                                                                    • String ID:
                                                                                    • API String ID: 3559483778-0
                                                                                    • Opcode ID: 6afac3677242d21e6c76a0bca71f0772608ea2e4972798e37f4a918e3eded5a6
                                                                                    • Instruction ID: e3274758e2e7564689b66ad2ad3b1e3c4c211d4e12cdafe25397c458df7c6046
                                                                                    • Opcode Fuzzy Hash: 6afac3677242d21e6c76a0bca71f0772608ea2e4972798e37f4a918e3eded5a6
                                                                                    • Instruction Fuzzy Hash: 452128B6D003099FDB10CFA9C8857DEBBF5FF48310F14882AE959A7250D7789944DBA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04813600 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 251 4813600-481364e 253 4813650-481365c 251->253 254 481365e-481369d WriteProcessMemory 251->254 253->254 256 48136a6-48136d6 254->256 257 481369f-48136a5 254->257 257->256
                                                                                    APIs
                                                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04813690
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1353569046.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_4810000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID: MemoryProcessWrite
                                                                                    • String ID:
                                                                                    • API String ID: 3559483778-0
                                                                                    • Opcode ID: f2d1e616bda6a59f134b9e78031710f31e993a9e578c942d1c03084285026656
                                                                                    • Instruction ID: a90c0e7a2067724c3198c044075ab1e0098e6a71577d61b65b9cbdd5e7195ba6
                                                                                    • Opcode Fuzzy Hash: f2d1e616bda6a59f134b9e78031710f31e993a9e578c942d1c03084285026656
                                                                                    • Instruction Fuzzy Hash: F9212AB59003099FDB10CFA9C885BDEBBF5FF48310F14842AE959A7350D7799944CBA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 048136E8 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 261 48136e8-48136ea 262 48136f0-481377d ReadProcessMemory 261->262 263 48136ec-48136ee 261->263 266 4813786-48137b6 262->266 267 481377f-4813785 262->267 263->262 267->266
                                                                                    APIs
                                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04813770
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1353569046.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_4810000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID: MemoryProcessRead
                                                                                    • String ID:
                                                                                    • API String ID: 1726664587-0
                                                                                    • Opcode ID: d8998633b663e3e3354ef911bf8826c229ed0acb4bd9d2e5db6bc3f2dfccc936
                                                                                    • Instruction ID: 8026802612a75e9f7417e5b5abf525e172191d9cecceab96e4a0cf662c42f89b
                                                                                    • Opcode Fuzzy Hash: d8998633b663e3e3354ef911bf8826c229ed0acb4bd9d2e5db6bc3f2dfccc936
                                                                                    • Instruction Fuzzy Hash: 382127B5C003499FDB10CFAAC885BEEBBF5FF48310F54882AE958A7250C7799504CBA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04813030 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 271 4813030-481307b 273 481308b-48130bb Wow64SetThreadContext 271->273 274 481307d-4813089 271->274 276 48130c4-48130f4 273->276 277 48130bd-48130c3 273->277 274->273 277->276
                                                                                    APIs
                                                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 048130AE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1353569046.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_4810000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID: ContextThreadWow64
                                                                                    • String ID:
                                                                                    • API String ID: 983334009-0
                                                                                    • Opcode ID: 613ca5d1c81123fb14fe24ee738fa38e715c16d7307b1fb0209f132251c48753
                                                                                    • Instruction ID: c09e5751c3d724549bf1480bea25d2843d3bafe3284852df2323a7cf040afa6e
                                                                                    • Opcode Fuzzy Hash: 613ca5d1c81123fb14fe24ee738fa38e715c16d7307b1fb0209f132251c48753
                                                                                    • Instruction Fuzzy Hash: 73214971D003098FEB10DFAAC4857EEBBF4EF48310F14842AD559A7240C778A944CFA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 048136F0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 281 48136f0-481377d ReadProcessMemory 284 4813786-48137b6 281->284 285 481377f-4813785 281->285 285->284
                                                                                    APIs
                                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04813770
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1353569046.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_4810000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID: MemoryProcessRead
                                                                                    • String ID:
                                                                                    • API String ID: 1726664587-0
                                                                                    • Opcode ID: 35e190561df45602f07213446a1c17d09f193625914fed59e727036b7564f3c8
                                                                                    • Instruction ID: 2f004a70c10447efc5b5f30ad12b9f8080dde4155289a5962e4d20707244319c
                                                                                    • Opcode Fuzzy Hash: 35e190561df45602f07213446a1c17d09f193625914fed59e727036b7564f3c8
                                                                                    • Instruction Fuzzy Hash: 322128B1C003499FDB10CFAAC884BEEBBF5FF48310F54882AE958A7250C7799544CBA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00ADD8C0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 289 add8c0-add954 DuplicateHandle 290 add95d-add97a 289->290 291 add956-add95c 289->291 291->290
                                                                                    APIs
                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00ADD947
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1350808487.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_ad0000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID: DuplicateHandle
                                                                                    • String ID:
                                                                                    • API String ID: 3793708945-0
                                                                                    • Opcode ID: 81c01b542d9c1e629f536a31d2777b4cf9687577109c69684caeb77552717514
                                                                                    • Instruction ID: a4ee198a56bde4b1ad1c8bbd98218036f43eddf26cc5012ff9546c1d2ccda0a6
                                                                                    • Opcode Fuzzy Hash: 81c01b542d9c1e629f536a31d2777b4cf9687577109c69684caeb77552717514
                                                                                    • Instruction Fuzzy Hash: 3A21C4B5D002499FDB10CFAAD584ADEBBF4FB48320F14842AE958A3350D375A954CFA5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04813538 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 294 4813538-481353a 295 4813540-48135bb VirtualAllocEx 294->295 296 481353c-481353e 294->296 299 48135c4-48135e9 295->299 300 48135bd-48135c3 295->300 296->295 300->299
                                                                                    APIs
                                                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 048135AE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1353569046.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_4810000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 4275171209-0
                                                                                    • Opcode ID: 8675d10b3f0fc0776acb142d3ccb35f8df1baf9a343b5b28220953f2cbbcac81
                                                                                    • Instruction ID: 7745c0443bfe1c380bf07c7d790af37188876cb5086f3f097f44cd509bff971f
                                                                                    • Opcode Fuzzy Hash: 8675d10b3f0fc0776acb142d3ccb35f8df1baf9a343b5b28220953f2cbbcac81
                                                                                    • Instruction Fuzzy Hash: 81214AB68003499FEB10DFA9C845BDFBBF5EB49310F14881AE515A7250C775A544CB91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00ADAE28 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 304 adae28-adb8a8 306 adb8aa-adb8ad 304->306 307 adb8b0-adb8df LoadLibraryExW 304->307 306->307 308 adb8e8-adb905 307->308 309 adb8e1-adb8e7 307->309 309->308
                                                                                    APIs
                                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00ADB6C1,00000800,00000000,00000000), ref: 00ADB8D2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1350808487.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_ad0000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID: LibraryLoad
                                                                                    • String ID:
                                                                                    • API String ID: 1029625771-0
                                                                                    • Opcode ID: 5bac2d8734d265392e5114bcdcb57fa29aa7b989e548716d30829704a6f66402
                                                                                    • Instruction ID: ef6bb1359be66d757b80a0511354d7421b01e83cd993f0e234ff4e38b4534ceb
                                                                                    • Opcode Fuzzy Hash: 5bac2d8734d265392e5114bcdcb57fa29aa7b989e548716d30829704a6f66402
                                                                                    • Instruction Fuzzy Hash: B811FFB6C00249DFDB10CF9AC444A9EBBF8EB48310F11842AE51AA7300C3B5A945CFA5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00ADB860 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00ADB6C1,00000800,00000000,00000000), ref: 00ADB8D2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1350808487.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_ad0000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID: LibraryLoad
                                                                                    • String ID:
                                                                                    • API String ID: 1029625771-0
                                                                                    • Opcode ID: b99465d4f349de8b37be88b84d4a8dafd8d8a28510b925659ee10b446f480c46
                                                                                    • Instruction ID: ed08794cfa5d3ff4b38b9bb5aaeebf1d7736b1e7a00afb69eb978075ba8bd3a5
                                                                                    • Opcode Fuzzy Hash: b99465d4f349de8b37be88b84d4a8dafd8d8a28510b925659ee10b446f480c46
                                                                                    • Instruction Fuzzy Hash: D01103B6C00209CFDB14CF9AC544ADEFBF4EB49310F10842AD419A7710C375A546CFA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04813540 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 048135AE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1353569046.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_4810000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 4275171209-0
                                                                                    • Opcode ID: 30cd800c0cd325fa90e3300fb4a7a0e44af37e34f5cb0ed488e9a7631eb0a2b2
                                                                                    • Instruction ID: 93a77f7055004992e92d34a6869fcdd6828df30949b510de8a4cf5cf4032bf3e
                                                                                    • Opcode Fuzzy Hash: 30cd800c0cd325fa90e3300fb4a7a0e44af37e34f5cb0ed488e9a7631eb0a2b2
                                                                                    • Instruction Fuzzy Hash: AE1137768003499FDB10DFAAC844BDFBBF5EF48320F14881AE519A7250C775A544CFA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04812F78 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1353569046.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_4810000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID: ResumeThread
                                                                                    • String ID:
                                                                                    • API String ID: 947044025-0
                                                                                    • Opcode ID: 6cbaa63f0f09a21ccd8e050c9ef0e81f649a19a23d519615cf62ef18328c71d1
                                                                                    • Instruction ID: 3324f89088417be40ceaa4cf8d39bb5180865ddb5e86533a21e48ad37b49f2e3
                                                                                    • Opcode Fuzzy Hash: 6cbaa63f0f09a21ccd8e050c9ef0e81f649a19a23d519615cf62ef18328c71d1
                                                                                    • Instruction Fuzzy Hash: 71118BB5C043498FDB20CFAAC445BEFFBF8EB49220F24882ED419A7240C7796504CB91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 048176A0 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindCloseChangeNotification.KERNELBASE(?), ref: 04817700
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1353569046.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_4810000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID: ChangeCloseFindNotification
                                                                                    • String ID:
                                                                                    • API String ID: 2591292051-0
                                                                                    • Opcode ID: 04def3257f43cb95a69e3082d6a6965615ce85f3e822f9580c4b85f5e35af09c
                                                                                    • Instruction ID: 2f99f0fc700f54413023c941613b58c9c5b457af3f963cc821e956e36e1b8e95
                                                                                    • Opcode Fuzzy Hash: 04def3257f43cb95a69e3082d6a6965615ce85f3e822f9580c4b85f5e35af09c
                                                                                    • Instruction Fuzzy Hash: 971158B5C003498FDB10CF99C445BDEBBF4EB48320F10882AD958A3240C378A544CFA5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04812F80 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1353569046.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_4810000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID: ResumeThread
                                                                                    • String ID:
                                                                                    • API String ID: 947044025-0
                                                                                    • Opcode ID: 324245cab7547cb8493c90d47189259c6bf3f109fd2c30b5d23ec0b735ecbf73
                                                                                    • Instruction ID: 54a7a5110df3385faff023f85e06202431a86d7ddf570910144a42a3330e6ea0
                                                                                    • Opcode Fuzzy Hash: 324245cab7547cb8493c90d47189259c6bf3f109fd2c30b5d23ec0b735ecbf73
                                                                                    • Instruction Fuzzy Hash: E1113AB1D003498FDB24DFAAC4457DFFBF4EF49220F24842AD519A7250C779A544CB91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04816450 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 048164B5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1353569046.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_4810000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessagePost
                                                                                    • String ID:
                                                                                    • API String ID: 410705778-0
                                                                                    • Opcode ID: 4eec3dcb8bf0e9cd03670bcd1785c90012703fe5c6bee5d8e52e42b6d34842db
                                                                                    • Instruction ID: b4e8c8c25bb372e3bcef39848d1060538b6589030d2da201ccb80c89071712bc
                                                                                    • Opcode Fuzzy Hash: 4eec3dcb8bf0e9cd03670bcd1785c90012703fe5c6bee5d8e52e42b6d34842db
                                                                                    • Instruction Fuzzy Hash: C011F2B58002499FDB10CF9AC845BDEBBF8FB48324F14891AE569B7250D379A944CFA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 048176A8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindCloseChangeNotification.KERNELBASE(?), ref: 04817700
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1353569046.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_4810000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID: ChangeCloseFindNotification
                                                                                    • String ID:
                                                                                    • API String ID: 2591292051-0
                                                                                    • Opcode ID: 2d0c803be6ec927f82f6d69317c0deccf7fb6c06537f667e362c1b1452cd58f7
                                                                                    • Instruction ID: 63357ba8aecb7dc1fba46124caaf0f8ca9385eca7c49ae279b8b246f4ead6cb8
                                                                                    • Opcode Fuzzy Hash: 2d0c803be6ec927f82f6d69317c0deccf7fb6c06537f667e362c1b1452cd58f7
                                                                                    • Instruction Fuzzy Hash: 901103B58003498FDB10DF9AC445BDEBBF4EB48320F20886AD558A7750D778A544CFA5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04814330 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 048164B5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1353569046.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_4810000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessagePost
                                                                                    • String ID:
                                                                                    • API String ID: 410705778-0
                                                                                    • Opcode ID: 3187b9995c0d4872d8fda5dc21ea477bb4f9428fc99447b9fa9d680e58715c14
                                                                                    • Instruction ID: b8823831e2b0ae4e1d398f012dcefa008f817e4554c5a8249182264c46dd0051
                                                                                    • Opcode Fuzzy Hash: 3187b9995c0d4872d8fda5dc21ea477bb4f9428fc99447b9fa9d680e58715c14
                                                                                    • Instruction Fuzzy Hash: 1111F2B58003499FDB10DF9AC544BDEBBF8EB48320F10881AE558B7310D375A944CFA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00ADB5E0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00ADB646
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1350808487.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_ad0000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleModule
                                                                                    • String ID:
                                                                                    • API String ID: 4139908857-0
                                                                                    • Opcode ID: e054e1bd8bd0d2bbc3ef938b7e4cfa37916e6c25bd7a213dae72348051879764
                                                                                    • Instruction ID: ea0ccff719d2e1f66a1f4b39dda1eff1dd09dcf65dba63c67796cda43e1e6364
                                                                                    • Opcode Fuzzy Hash: e054e1bd8bd0d2bbc3ef938b7e4cfa37916e6c25bd7a213dae72348051879764
                                                                                    • Instruction Fuzzy Hash: D811DCB6C006498FDB10CF9AD844ADEFBF4AB89320F11842AD829B7710D379A545CFA5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0481645A Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 048164B5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1353569046.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_4810000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessagePost
                                                                                    • String ID:
                                                                                    • API String ID: 410705778-0
                                                                                    • Opcode ID: 8e6a0587e07ee9dfc6af4ddd7b0d7cf7c2abec7c4978a764e423a13e180a6836
                                                                                    • Instruction ID: f1aa3ebd02edcb838826912be65ef295ef299b6ef5ee4d2d0601cfd454f2720c
                                                                                    • Opcode Fuzzy Hash: 8e6a0587e07ee9dfc6af4ddd7b0d7cf7c2abec7c4978a764e423a13e180a6836
                                                                                    • Instruction Fuzzy Hash: B311E5B58002499FDB10CF99D544BDEBBF8FB48310F14841AD558B7750D375A544CFA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A3D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1350496399.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_a3d000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b0c34b58583cc449ea56b0e6ac38a2382fe93436a6dfd01096e56b80cb970730
                                                                                    • Instruction ID: 1163f686810eadf633030ad56e83df65ce7c42e618868f19e9243bf84db3a170
                                                                                    • Opcode Fuzzy Hash: b0c34b58583cc449ea56b0e6ac38a2382fe93436a6dfd01096e56b80cb970730
                                                                                    • Instruction Fuzzy Hash: CA21F572504344DFDB15DF14E9C0B26BF65FB88318F24C569F8090B256C336D856CBA2
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A3D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1350496399.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_a3d000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a925926d5d1816ead28d41322e6d6d2e2b0d140a565be26effb17efb6130a5dd
                                                                                    • Instruction ID: 24de1a52d8ac498990fb9aea5eace494d6975738eda0debb854e96f10ff295c6
                                                                                    • Opcode Fuzzy Hash: a925926d5d1816ead28d41322e6d6d2e2b0d140a565be26effb17efb6130a5dd
                                                                                    • Instruction Fuzzy Hash: 92210775504344DFDB05DF10E9C0B26BB65FB98324F24C569F90A4F256C336E856CBA2
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A4D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1350564433.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_a4d000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5cfd3d6e7ba4dac9134e591f6780f27c69ebc1397b21be3dab422c5e34496a07
                                                                                    • Instruction ID: 3063e8167190d23a6854d5d782d8d772c7443f0a3be1d27be985a578773ca8a8
                                                                                    • Opcode Fuzzy Hash: 5cfd3d6e7ba4dac9134e591f6780f27c69ebc1397b21be3dab422c5e34496a07
                                                                                    • Instruction Fuzzy Hash: 16210479604344EFDB05DF10D9C0B66BBA5FBC4314F24C6ADE8094B292C3B6D846CA61
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A4D01C Relevance: .1, Instructions: 72COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1350564433.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_a4d000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b7499b7e445562de9e402b77e6de39db62682a8edcfae049c5e12bb25cefe116
                                                                                    • Instruction ID: 74963b772eeafbca526435ef5da1750996f2b4f89e2dde0b7f5b50e3c5fe8462
                                                                                    • Opcode Fuzzy Hash: b7499b7e445562de9e402b77e6de39db62682a8edcfae049c5e12bb25cefe116
                                                                                    • Instruction Fuzzy Hash: 5521F279604344DFDB14DF10D9C4B26BB65FBC4314F24C5ADD80A4B286C37AD847CA62
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A3D4BF Relevance: .1, Instructions: 56COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1350496399.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_a3d000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                                                                                    • Instruction ID: c200645ee91ecc63cc014e3453f512f4cda0cad601e282f4dd275a7149bf8e7f
                                                                                    • Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                                                                                    • Instruction Fuzzy Hash: 3811E676504280CFCF16CF10D5C4B56BF71FB94318F24C6A9E8490B656C336D856CBA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A3D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1350496399.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_a3d000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                                                                                    • Instruction ID: 3ccd5d8d0fd72917a182738d8048ab2660bd22557c6851b3f7e63dc1254fa740
                                                                                    • Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                                                                                    • Instruction Fuzzy Hash: 7911E676504240DFCF16CF10E5C4B56BF71FB94324F24C6A9E8490B656C33AE856CBA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A4D017 Relevance: .1, Instructions: 53COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1350564433.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_a4d000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                                                                    • Instruction ID: 96e8b5dbe09011fcc5cc25009afa49e0fb437823d4fba486af227edadf87f116
                                                                                    • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                                                                    • Instruction Fuzzy Hash: D0119079504280DFCB15CF14D5C4B15FB61FB84314F24C6AED84A4B696C33AD84ACB61
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A4D1CF Relevance: .1, Instructions: 53COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1350564433.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_a4d000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                                                                    • Instruction ID: 98084502a3c75c0eea69a8df6b06011fafdb3c0f709c99234d48e986e9ce509f
                                                                                    • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                                                                    • Instruction Fuzzy Hash: B1119D79504280DFCB15CF50D5C4B55FBB1FB84314F28C6AED8494B696C37AD84ACB61
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A3D745 Relevance: .0, Instructions: 45COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1350496399.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_a3d000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 00dfdbd8eeaaf2ac049455dbf9d6ad634ae4fd2589c626f6107becb0924b7138
                                                                                    • Instruction ID: 167055bd2f8626a05ebf265be0b0f41e034ac735db053e725e9636950401b774
                                                                                    • Opcode Fuzzy Hash: 00dfdbd8eeaaf2ac049455dbf9d6ad634ae4fd2589c626f6107becb0924b7138
                                                                                    • Instruction Fuzzy Hash: 6501D671504340DFE7109F25DD84B67BBA8DF41364F18C56AFD194E282D6799840CBB2
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A3D744 Relevance: .0, Instructions: 36COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1350496399.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_a3d000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 82a5965a3156568f0e8a6e4b9838f2fa23c215cfcc98537a129ac13a6e6ca7c9
                                                                                    • Instruction ID: a10185c6780eeba6953756c147ce4d926b4c9a7fa368e6164bc393f3dbc2492c
                                                                                    • Opcode Fuzzy Hash: 82a5965a3156568f0e8a6e4b9838f2fa23c215cfcc98537a129ac13a6e6ca7c9
                                                                                    • Instruction Fuzzy Hash: 74F06D72805344AFEB148F16D988B62FBA8EB91734F18C45AFD084E286C2799844CBB1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Non-executed Functions

                                                                                    Function 04816FF0 Relevance: .4, Instructions: 375COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1353569046.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_4810000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c528d50c7a5d8ee10b635a79e68857817d5b09301e43855ce8292d92660e7090
                                                                                    • Instruction ID: 43137a8c89122cf4aeb5f677984cc2ef3523d1c867aebeb5cd5fd252e231dabf
                                                                                    • Opcode Fuzzy Hash: c528d50c7a5d8ee10b635a79e68857817d5b09301e43855ce8292d92660e7090
                                                                                    • Instruction Fuzzy Hash: 24D15D70B012049FEB14DBA8D990BAE77FAAF88700F14456AF506EB3A1DB74ED41CB50
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 048110B0 Relevance: .3, Instructions: 312COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1353569046.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_4810000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b0376f4be09a92580d3a7f9022745d7ff2cae2d6e8a5bb81a909c5f9e9ea91a1
                                                                                    • Instruction ID: b9416b84a3e1d9d6e54c45cd2deb452109da84bcf25c429e1a0e24be33f61707
                                                                                    • Opcode Fuzzy Hash: b0376f4be09a92580d3a7f9022745d7ff2cae2d6e8a5bb81a909c5f9e9ea91a1
                                                                                    • Instruction Fuzzy Hash: C5E11774E002598FDB14DFA9C584AAEFBF2BF89304F24866AD514AB365D730AD41CF60
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04810C78 Relevance: .3, Instructions: 312COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1353569046.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_4810000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 654080c49525b3eb4fc61b433019e9d2aeb48bbdc94836619aaa4af01685325c
                                                                                    • Instruction ID: b2dfe705d8ab4b29cab14824b51a316abe01d3052fb3dc6a892f7679a3b3cf67
                                                                                    • Opcode Fuzzy Hash: 654080c49525b3eb4fc61b433019e9d2aeb48bbdc94836619aaa4af01685325c
                                                                                    • Instruction Fuzzy Hash: 52E1FA74E002598FDB14DFA9C980AAEFBF2BF89305F24866AD414AB355D731AD41CF60
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04813108 Relevance: .3, Instructions: 312COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1353569046.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_4810000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6946a054dd89451cf360e35240a99ad2de809ad73bf1f2ed1f6f1f9ccd38f41c
                                                                                    • Instruction ID: 027b849a96d16be011018b84971d9d382b1a453c90699d32c26345aa4dc2a96d
                                                                                    • Opcode Fuzzy Hash: 6946a054dd89451cf360e35240a99ad2de809ad73bf1f2ed1f6f1f9ccd38f41c
                                                                                    • Instruction Fuzzy Hash: 7CE1F974E002598FDB14DFA9C580AAEFBF2BF89305F24866AD815AB355D730AD41CF60
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04812758 Relevance: .3, Instructions: 312COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1353569046.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_4810000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1e4b26da0da7482aaff99a493986335bd842288858a55d6c788ced63f33f9353
                                                                                    • Instruction ID: 8006381296e5b4b2421e2ae288a840cddfab8784c176f4edf5afbd70d1cdcfe2
                                                                                    • Opcode Fuzzy Hash: 1e4b26da0da7482aaff99a493986335bd842288858a55d6c788ced63f33f9353
                                                                                    • Instruction Fuzzy Hash: CDE1EA74E002598FDB14DFA9D580AAEFBF2BF89305F2486AAD414A7365D730AD41CF60
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00ADE22C Relevance: .3, Instructions: 264COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1350808487.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_ad0000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b2a2a87e0f4ee6b8866d0bb5fcb61118f95dd2ae4867ca60bb75c04c85d3014f
                                                                                    • Instruction ID: 80cb244d582468c2f6d2e2b5cecbc73ddf1d6bcea5a62fd363ac5ea877f39769
                                                                                    • Opcode Fuzzy Hash: b2a2a87e0f4ee6b8866d0bb5fcb61118f95dd2ae4867ca60bb75c04c85d3014f
                                                                                    • Instruction Fuzzy Hash: 20A15A32E002198FCF09DFB5C9845EEB7B6BF85300B15857AE806AB365DB31E955CB80
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04810C68 Relevance: .1, Instructions: 137COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.1353569046.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_4810000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4740a6aafc034184615bd92466130520665315e1f683170edad9bfdc3916da7b
                                                                                    • Instruction ID: 217c0a08284f291393ea4521c55a51d805478151ac164b275d13e7dd27a2fc63
                                                                                    • Opcode Fuzzy Hash: 4740a6aafc034184615bd92466130520665315e1f683170edad9bfdc3916da7b
                                                                                    • Instruction Fuzzy Hash: 4A512D75E002598FDB14DFA9C9805AEFBF6BF89305F24856AD408A7316D730AD41CFA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Execution Graph

                                                                                    Execution Coverage:8.8%
                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                    Signature Coverage:0%
                                                                                    Total number of Nodes:74
                                                                                    Total number of Limit Nodes:6
                                                                                    execution_graph 39013 6aed510 39014 6aed578 CreateWindowExW 39013->39014 39016 6aed634 39014->39016 38927 2bfd030 38928 2bfd048 38927->38928 38929 2bfd0a2 38928->38929 38934 6aea46c 38928->38934 38943 6aed6b7 38928->38943 38947 6aee818 38928->38947 38956 6aed6c8 38928->38956 38935 6aea477 38934->38935 38936 6aee889 38935->38936 38938 6aee879 38935->38938 38976 6aee49c 38936->38976 38960 6aeea7c 38938->38960 38966 6aee9b0 38938->38966 38971 6aee9a0 38938->38971 38939 6aee887 38939->38939 38944 6aed6c5 38943->38944 38945 6aea46c CallWindowProcW 38944->38945 38946 6aed70f 38945->38946 38946->38929 38948 6aee855 38947->38948 38949 6aee889 38948->38949 38951 6aee879 38948->38951 38950 6aee49c CallWindowProcW 38949->38950 38952 6aee887 38950->38952 38953 6aeea7c CallWindowProcW 38951->38953 38954 6aee9a0 CallWindowProcW 38951->38954 38955 6aee9b0 CallWindowProcW 38951->38955 38952->38952 38953->38952 38954->38952 38955->38952 38957 6aed6ee 38956->38957 38958 6aea46c CallWindowProcW 38957->38958 38959 6aed70f 38958->38959 38959->38929 38961 6aeea8a 38960->38961 38962 6aeea3a 38960->38962 38980 6aeea68 38962->38980 38983 6aeea58 38962->38983 38963 6aeea50 38963->38939 38967 6aee9c4 38966->38967 38969 6aeea68 CallWindowProcW 38967->38969 38970 6aeea58 CallWindowProcW 38967->38970 38968 6aeea50 38968->38939 38969->38968 38970->38968 38972 6aee9b1 38971->38972 38974 6aeea68 CallWindowProcW 38972->38974 38975 6aeea58 CallWindowProcW 38972->38975 38973 6aeea50 38973->38939 38974->38973 38975->38973 38977 6aee4a7 38976->38977 38978 6aefcea CallWindowProcW 38977->38978 38979 6aefc99 38977->38979 38978->38979 38979->38939 38981 6aeea79 38980->38981 38987 6aefc20 38980->38987 38981->38963 38984 6aeea68 38983->38984 38985 6aeea79 38984->38985 38986 6aefc20 CallWindowProcW 38984->38986 38985->38963 38986->38985 38988 6aee49c CallWindowProcW 38987->38988 38989 6aefc3a 38988->38989 38989->38981 38990 2e70848 38991 2e7084e 38990->38991 38992 2e7091b 38991->38992 38994 2e71382 38991->38994 38996 2e71396 38994->38996 38995 2e71480 38995->38991 38996->38995 38998 2e77ea8 38996->38998 38999 2e77eb2 38998->38999 39000 2e77ecc 38999->39000 39003 699d9d8 38999->39003 39008 699d9cb 38999->39008 39000->38996 39004 699d9ed 39003->39004 39005 699dc02 39004->39005 39006 699dc19 GlobalMemoryStatusEx 39004->39006 39007 699de78 GlobalMemoryStatusEx 39004->39007 39005->39000 39006->39004 39007->39004 39009 699d9ed 39008->39009 39010 699dc02 39009->39010 39011 699dc19 GlobalMemoryStatusEx 39009->39011 39012 699de78 GlobalMemoryStatusEx 39009->39012 39010->39000 39011->39009 39012->39009

                                                                                    Executed Functions

                                                                                    Function 02E7DCE1 Relevance: 2.2, Instructions: 2185COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f51e59b79a6ac8376538a1f6eb00309c2039760454ea16c5fe961379a270f587
                                                                                    • Instruction ID: 6547be0080953453d6879bcd5bb75e392a2553b5a5bf2c00315b737cee51826f
                                                                                    • Opcode Fuzzy Hash: f51e59b79a6ac8376538a1f6eb00309c2039760454ea16c5fe961379a270f587
                                                                                    • Instruction Fuzzy Hash: BB231D31D10B198ECB11EF68C8946ADF7B1FF99300F15D79AE449A7211EB70AAC5CB81
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02E73E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 750 2e73e80-2e73ee6 752 2e73f30-2e73f32 750->752 753 2e73ee8-2e73ef3 750->753 755 2e73f34-2e73f8c 752->755 753->752 754 2e73ef5-2e73f01 753->754 756 2e73f24-2e73f2e 754->756 757 2e73f03-2e73f0d 754->757 764 2e73fd6-2e73fd8 755->764 765 2e73f8e-2e73f99 755->765 756->755 759 2e73f11-2e73f20 757->759 760 2e73f0f 757->760 759->759 761 2e73f22 759->761 760->759 761->756 767 2e73fda-2e73ff2 764->767 765->764 766 2e73f9b-2e73fa7 765->766 768 2e73fca-2e73fd4 766->768 769 2e73fa9-2e73fb3 766->769 773 2e73ff4-2e73fff 767->773 774 2e7403c-2e7403e 767->774 768->767 771 2e73fb7-2e73fc6 769->771 772 2e73fb5 769->772 771->771 775 2e73fc8 771->775 772->771 773->774 776 2e74001-2e7400d 773->776 777 2e74040-2e7408e 774->777 775->768 778 2e74030-2e7403a 776->778 779 2e7400f-2e74019 776->779 785 2e74094-2e740a2 777->785 778->777 780 2e7401d-2e7402c 779->780 781 2e7401b 779->781 780->780 783 2e7402e 780->783 781->780 783->778 786 2e740a4-2e740aa 785->786 787 2e740ab-2e7410b 785->787 786->787 794 2e7410d-2e74111 787->794 795 2e7411b-2e7411f 787->795 794->795 798 2e74113 794->798 796 2e74121-2e74125 795->796 797 2e7412f-2e74133 795->797 796->797 799 2e74127-2e7412a call 2e70ab8 796->799 800 2e74135-2e74139 797->800 801 2e74143-2e74147 797->801 798->795 799->797 800->801 803 2e7413b-2e7413e call 2e70ab8 800->803 804 2e74157-2e7415b 801->804 805 2e74149-2e7414d 801->805 803->801 808 2e7415d-2e74161 804->808 809 2e7416b-2e7416f 804->809 805->804 807 2e7414f-2e74152 call 2e70ab8 805->807 807->804 808->809 813 2e74163 808->813 810 2e74171-2e74175 809->810 811 2e7417f 809->811 810->811 814 2e74177 810->814 815 2e74180 811->815 813->809 814->811 815->815
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: \V8m
                                                                                    • API String ID: 0-3962739738
                                                                                    • Opcode ID: b3c0018d022d18ad078bd55ac113c6e489e312393d9d2ebebb29f0681dd7d514
                                                                                    • Instruction ID: 92240c673d3bb36895fd17da8929c497b4c11e68f34b7bb74af8c343ecc31bf4
                                                                                    • Opcode Fuzzy Hash: b3c0018d022d18ad078bd55ac113c6e489e312393d9d2ebebb29f0681dd7d514
                                                                                    • Instruction Fuzzy Hash: EF915870E40209CFDF14DFA9C8857EEBBF2AF88358F14D129E415A7294EB749846CB91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02E7C94D Relevance: .5, Instructions: 535COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 14751ab567649ca727f65fcf557b875544eb040de3c168f766800456538fcd07
                                                                                    • Instruction ID: 9bfe5ac218eb66f99c8114865eda8dac4b35a0aaa3f79d63f25324acb8c5e51a
                                                                                    • Opcode Fuzzy Hash: 14751ab567649ca727f65fcf557b875544eb040de3c168f766800456538fcd07
                                                                                    • Instruction Fuzzy Hash: 48420731C10B4A8ADB11EF78C8546A9F7B5EF9A300F11D79AE45877121FB70AAC4CB81
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02E74A98 Relevance: .3, Instructions: 266COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e7adc2c34497f50313a73141da91a651bbd16ff86d6ed59eef4a60b819efadad
                                                                                    • Instruction ID: a48fc680534565533217037c72e637e5d8c3833495aa1aefea599f83721364f8
                                                                                    • Opcode Fuzzy Hash: e7adc2c34497f50313a73141da91a651bbd16ff86d6ed59eef4a60b819efadad
                                                                                    • Instruction Fuzzy Hash: 49B17C70E40209CFDB10CFA9C8957EEBBF2AF89318F14D129D855EB294EB749845CB81
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02E74810 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 77 2e74810-2e7489c 80 2e748e6-2e748e8 77->80 81 2e7489e-2e748a9 77->81 82 2e748ea-2e74902 80->82 81->80 83 2e748ab-2e748b7 81->83 89 2e74904-2e7490f 82->89 90 2e7494c-2e7494e 82->90 84 2e748da-2e748e4 83->84 85 2e748b9-2e748c3 83->85 84->82 87 2e748c7-2e748d6 85->87 88 2e748c5 85->88 87->87 91 2e748d8 87->91 88->87 89->90 93 2e74911-2e7491d 89->93 92 2e74950-2e74995 90->92 91->84 101 2e7499b-2e749a9 92->101 94 2e74940-2e7494a 93->94 95 2e7491f-2e74929 93->95 94->92 96 2e7492d-2e7493c 95->96 97 2e7492b 95->97 96->96 99 2e7493e 96->99 97->96 99->94 102 2e749b2-2e74a0f 101->102 103 2e749ab-2e749b1 101->103 110 2e74a11-2e74a15 102->110 111 2e74a1f-2e74a23 102->111 103->102 110->111 114 2e74a17-2e74a1a call 2e70ab8 110->114 112 2e74a25-2e74a29 111->112 113 2e74a33-2e74a37 111->113 112->113 116 2e74a2b-2e74a2e call 2e70ab8 112->116 117 2e74a47-2e74a4b 113->117 118 2e74a39-2e74a3d 113->118 114->111 116->113 120 2e74a4d-2e74a51 117->120 121 2e74a5b 117->121 118->117 119 2e74a3f 118->119 119->117 120->121 123 2e74a53 120->123 124 2e74a5c 121->124 123->121 124->124
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: \V8m$\V8m
                                                                                    • API String ID: 0-938959358
                                                                                    • Opcode ID: 25c12f9d69ffc373511c825a619923caa6ae2d8b60c2b948a7026d6120044c5d
                                                                                    • Instruction ID: 2672e3e4679ca86b49171569a6226de1462197153a5251f0fdf143cea0ede8d9
                                                                                    • Opcode Fuzzy Hash: 25c12f9d69ffc373511c825a619923caa6ae2d8b60c2b948a7026d6120044c5d
                                                                                    • Instruction Fuzzy Hash: A6714A70E40249CFDF10CFA9C8857AEBBF2BF88318F14D129E415A7294EB749845CB95
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02E74804 Relevance: 2.7, Strings: 2, Instructions: 178COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 125 2e74804-2e7489c 128 2e748e6-2e748e8 125->128 129 2e7489e-2e748a9 125->129 130 2e748ea-2e74902 128->130 129->128 131 2e748ab-2e748b7 129->131 137 2e74904-2e7490f 130->137 138 2e7494c-2e7494e 130->138 132 2e748da-2e748e4 131->132 133 2e748b9-2e748c3 131->133 132->130 135 2e748c7-2e748d6 133->135 136 2e748c5 133->136 135->135 139 2e748d8 135->139 136->135 137->138 141 2e74911-2e7491d 137->141 140 2e74950-2e74962 138->140 139->132 148 2e74969-2e74995 140->148 142 2e74940-2e7494a 141->142 143 2e7491f-2e74929 141->143 142->140 144 2e7492d-2e7493c 143->144 145 2e7492b 143->145 144->144 147 2e7493e 144->147 145->144 147->142 149 2e7499b-2e749a9 148->149 150 2e749b2-2e74a0f 149->150 151 2e749ab-2e749b1 149->151 158 2e74a11-2e74a15 150->158 159 2e74a1f-2e74a23 150->159 151->150 158->159 162 2e74a17-2e74a1a call 2e70ab8 158->162 160 2e74a25-2e74a29 159->160 161 2e74a33-2e74a37 159->161 160->161 164 2e74a2b-2e74a2e call 2e70ab8 160->164 165 2e74a47-2e74a4b 161->165 166 2e74a39-2e74a3d 161->166 162->159 164->161 168 2e74a4d-2e74a51 165->168 169 2e74a5b 165->169 166->165 167 2e74a3f 166->167 167->165 168->169 171 2e74a53 168->171 172 2e74a5c 169->172 171->169 172->172
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: \V8m$\V8m
                                                                                    • API String ID: 0-938959358
                                                                                    • Opcode ID: 24aa64cd593651cd6627ed4c735937117810ed304643d7e7ec295f70a9163b36
                                                                                    • Instruction ID: 6614d88cc8521e5a8734213af0f9a0a6d87f4fb04759bce725ae60804e399041
                                                                                    • Opcode Fuzzy Hash: 24aa64cd593651cd6627ed4c735937117810ed304643d7e7ec295f70a9163b36
                                                                                    • Instruction Fuzzy Hash: 8C7138B0E4024ACFDF10CFA9D88579EBBF1BF88318F14D129E415A7294EB749846CB95
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0699E93F Relevance: 1.6, APIs: 1, Instructions: 132COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 589 699e93f-699e95b 590 699e95d-699e984 call 699d1b0 589->590 591 699e985-699e9a4 call 699e540 589->591 597 699e9aa-699ea09 591->597 598 699e9a6-699e9a9 591->598 605 699ea0b-699ea0e 597->605 606 699ea0f-699ea9c GlobalMemoryStatusEx 597->606 609 699ea9e-699eaa4 606->609 610 699eaa5-699eacd 606->610 609->610
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2564239859.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6990000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3d59619505675ba134e345917cf08725cae01a381cbf053bc9f7fbc9d2f8b563
                                                                                    • Instruction ID: f56a4f212f0ab75b3b1a261f49f2adc2fdcc32ff18af059ec583f985a165a10a
                                                                                    • Opcode Fuzzy Hash: 3d59619505675ba134e345917cf08725cae01a381cbf053bc9f7fbc9d2f8b563
                                                                                    • Instruction Fuzzy Hash: E6415872D0435A9FCB14CFB9D8043DEBBF5EF8A210F14856AD548A7650EB749845CBE0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 06AED504 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 613 6aed504-6aed576 615 6aed578-6aed57e 613->615 616 6aed581-6aed588 613->616 615->616 617 6aed58a-6aed590 616->617 618 6aed593-6aed5cb 616->618 617->618 619 6aed5d3-6aed632 CreateWindowExW 618->619 620 6aed63b-6aed673 619->620 621 6aed634-6aed63a 619->621 625 6aed675-6aed678 620->625 626 6aed680 620->626 621->620 625->626 627 6aed681 626->627 627->627
                                                                                    APIs
                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06AED622
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2564608617.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6ae0000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateWindow
                                                                                    • String ID:
                                                                                    • API String ID: 716092398-0
                                                                                    • Opcode ID: c0eff9add7f98331bae9289d9e9c9ce0dd2a0648396a587e4f49b077a8a00398
                                                                                    • Instruction ID: 1beefd0ea43ef2d390b169463c515ad7886ec71e961273cd295d9406c506b73f
                                                                                    • Opcode Fuzzy Hash: c0eff9add7f98331bae9289d9e9c9ce0dd2a0648396a587e4f49b077a8a00398
                                                                                    • Instruction Fuzzy Hash: C451CFB5D103499FDB14DF9AC884ADEBBB5FF48310F24852AE819AB250D7719845CF90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 06AED510 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 628 6aed510-6aed576 629 6aed578-6aed57e 628->629 630 6aed581-6aed588 628->630 629->630 631 6aed58a-6aed590 630->631 632 6aed593-6aed632 CreateWindowExW 630->632 631->632 634 6aed63b-6aed673 632->634 635 6aed634-6aed63a 632->635 639 6aed675-6aed678 634->639 640 6aed680 634->640 635->634 639->640 641 6aed681 640->641 641->641
                                                                                    APIs
                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06AED622
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2564608617.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6ae0000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateWindow
                                                                                    • String ID:
                                                                                    • API String ID: 716092398-0
                                                                                    • Opcode ID: 84cf124f95fa352e6d79b4795a4f26416a0a0f87515beac94716b62b729feed0
                                                                                    • Instruction ID: 60e7bb57c62e78b92a763f9111c13450da2fee07a679b9315463384185e6aa92
                                                                                    • Opcode Fuzzy Hash: 84cf124f95fa352e6d79b4795a4f26416a0a0f87515beac94716b62b729feed0
                                                                                    • Instruction Fuzzy Hash: C041BDB5D10349DFDB14DF9AC884ADEBBB5FF48310F24812AE819AB250D775A845CF90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 06AEE49C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 642 6aee49c-6aefc8c 645 6aefd3c-6aefd5c call 6aea46c 642->645 646 6aefc92-6aefc97 642->646 653 6aefd5f-6aefd6c 645->653 648 6aefcea-6aefd22 CallWindowProcW 646->648 649 6aefc99-6aefcd0 646->649 650 6aefd2b-6aefd3a 648->650 651 6aefd24-6aefd2a 648->651 656 6aefcd9-6aefce8 649->656 657 6aefcd2-6aefcd8 649->657 650->653 651->650 656->653 657->656
                                                                                    APIs
                                                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 06AEFD11
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2564608617.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6ae0000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallProcWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2714655100-0
                                                                                    • Opcode ID: 8020e63bf3a9dbdb6fff0fe503fc0132655d740aae15fefdc451f01fe02a8e94
                                                                                    • Instruction ID: 9d25de985e460c511edc2b20ec4d640e73e45cfa7402b168c49bf4814953bd70
                                                                                    • Opcode Fuzzy Hash: 8020e63bf3a9dbdb6fff0fe503fc0132655d740aae15fefdc451f01fe02a8e94
                                                                                    • Instruction Fuzzy Hash: 37410AB8A00305CFDB54DF99C488BAABBF5FB88314F24C859D519AB321D775A841CFA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0699EA28 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 659 699ea28-699ea66 660 699ea6e-699ea9c GlobalMemoryStatusEx 659->660 661 699ea9e-699eaa4 660->661 662 699eaa5-699eacd 660->662 661->662
                                                                                    APIs
                                                                                    • GlobalMemoryStatusEx.KERNELBASE ref: 0699EA8F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2564239859.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6990000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID: GlobalMemoryStatus
                                                                                    • String ID:
                                                                                    • API String ID: 1890195054-0
                                                                                    • Opcode ID: ae4aa7182d919e1c680b6c4d979ca2b308cc82ecf730d06f5920b92354cacc60
                                                                                    • Instruction ID: 88bc59a5837ba12b30b8f0f8a3037c48916f7710fd0ecf439c944957289f8ff5
                                                                                    • Opcode Fuzzy Hash: ae4aa7182d919e1c680b6c4d979ca2b308cc82ecf730d06f5920b92354cacc60
                                                                                    • Instruction Fuzzy Hash: 6211E2B1C0065A9BDB10CF9AC444BDEFBF4FF48220F15816AD818A7640D378A954CFA5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02E73E75 Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 816 2e73e75-2e73ee6 818 2e73f30-2e73f32 816->818 819 2e73ee8-2e73ef3 816->819 821 2e73f34-2e73f8c 818->821 819->818 820 2e73ef5-2e73f01 819->820 822 2e73f24-2e73f2e 820->822 823 2e73f03-2e73f0d 820->823 830 2e73fd6-2e73fd8 821->830 831 2e73f8e-2e73f99 821->831 822->821 825 2e73f11-2e73f20 823->825 826 2e73f0f 823->826 825->825 827 2e73f22 825->827 826->825 827->822 833 2e73fda-2e73ff2 830->833 831->830 832 2e73f9b-2e73fa7 831->832 834 2e73fca-2e73fd4 832->834 835 2e73fa9-2e73fb3 832->835 839 2e73ff4-2e73fff 833->839 840 2e7403c-2e7403e 833->840 834->833 837 2e73fb7-2e73fc6 835->837 838 2e73fb5 835->838 837->837 841 2e73fc8 837->841 838->837 839->840 842 2e74001-2e7400d 839->842 843 2e74040-2e74052 840->843 841->834 844 2e74030-2e7403a 842->844 845 2e7400f-2e74019 842->845 850 2e74059-2e7408e 843->850 844->843 846 2e7401d-2e7402c 845->846 847 2e7401b 845->847 846->846 849 2e7402e 846->849 847->846 849->844 851 2e74094-2e740a2 850->851 852 2e740a4-2e740aa 851->852 853 2e740ab-2e7410b 851->853 852->853 860 2e7410d-2e74111 853->860 861 2e7411b-2e7411f 853->861 860->861 864 2e74113 860->864 862 2e74121-2e74125 861->862 863 2e7412f-2e74133 861->863 862->863 865 2e74127-2e7412a call 2e70ab8 862->865 866 2e74135-2e74139 863->866 867 2e74143-2e74147 863->867 864->861 865->863 866->867 869 2e7413b-2e7413e call 2e70ab8 866->869 870 2e74157-2e7415b 867->870 871 2e74149-2e7414d 867->871 869->867 874 2e7415d-2e74161 870->874 875 2e7416b-2e7416f 870->875 871->870 873 2e7414f-2e74152 call 2e70ab8 871->873 873->870 874->875 879 2e74163 874->879 876 2e74171-2e74175 875->876 877 2e7417f 875->877 876->877 880 2e74177 876->880 881 2e74180 877->881 879->875 880->877 881->881
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: \V8m
                                                                                    • API String ID: 0-3962739738
                                                                                    • Opcode ID: 470cb69fa8e72122d9c63132d359f39741c7f0cb6c46127494c8ccfd5904f49e
                                                                                    • Instruction ID: 5b363abab11c9bc85493de2c79e1b09d0e9f4173652e7becefb1cdfbd4a5e6d7
                                                                                    • Opcode Fuzzy Hash: 470cb69fa8e72122d9c63132d359f39741c7f0cb6c46127494c8ccfd5904f49e
                                                                                    • Instruction Fuzzy Hash: 9DA15970E40209CFDF14DFA9C8857EEBBF2AF88358F149129E415A7294EB749846CF91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02E786C8 Relevance: .7, Instructions: 717COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 63a82e69455f690deaba3ebbda6b45571832e4ccb0e2a3503c26c382e7368df8
                                                                                    • Instruction ID: 1d31c3f688022d9e783373c269c76ad320e16da80d3ae485ba7e0932fe4a5119
                                                                                    • Opcode Fuzzy Hash: 63a82e69455f690deaba3ebbda6b45571832e4ccb0e2a3503c26c382e7368df8
                                                                                    • Instruction Fuzzy Hash: 4E4203B17012068BDB59EB38E86862C7363FB99649B14DD2ED506CB355CB30DC07D792
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02E7A4F8 Relevance: .4, Instructions: 357COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 72c3ffb12b3887b2c14e872dad050c58c0597c684e96e9be0820268e6acdc30b
                                                                                    • Instruction ID: d3b8aaac67c778edb433139afe9f04481d786898c16dfd3b87cbc0fc67b37d89
                                                                                    • Opcode Fuzzy Hash: 72c3ffb12b3887b2c14e872dad050c58c0597c684e96e9be0820268e6acdc30b
                                                                                    • Instruction Fuzzy Hash: 0FD1AB71A402058FDB14DFA8E8907AEBBB2FB88314F24C57AE909DB395D731D845CB91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02E74A8C Relevance: .3, Instructions: 262COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 50f1d17c7ef06847b3861f3cca8bcc23126b561b7ac0cf84b283bd4bce7dddb6
                                                                                    • Instruction ID: ac853d2919e037b3869ada503b65d4eb6b8ae97c573ac38e8c90c80ac05e8f0b
                                                                                    • Opcode Fuzzy Hash: 50f1d17c7ef06847b3861f3cca8bcc23126b561b7ac0cf84b283bd4bce7dddb6
                                                                                    • Instruction Fuzzy Hash: E7B16C70E40209CFDB10CFA8D8957EEBBF1AF89318F14D129D855E7294EB749845CB91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02E7A220 Relevance: .2, Instructions: 245COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 40026edbfd5c2b663df66494dbd0355fd3c16eb8b237390352ab08f61d9faaa1
                                                                                    • Instruction ID: 7cdfbb262227d0ab460da65fc0ea3f0d989180eb47e58ed082052455e5fe75cc
                                                                                    • Opcode Fuzzy Hash: 40026edbfd5c2b663df66494dbd0355fd3c16eb8b237390352ab08f61d9faaa1
                                                                                    • Instruction Fuzzy Hash: DE912A34A002149FDB14DF68E994AADB7B2FF88755F24C469E906EB364DB31EC42CB50
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02E76ED2 Relevance: .2, Instructions: 180COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d0fd5f99007a04c84a4b8cce3ca64eba36a171188d5456d3b0515d5817276e13
                                                                                    • Instruction ID: c2625955b1d5c8bd52728c1d780f61ea8efbb89d1b626b55821284de661a7fd0
                                                                                    • Opcode Fuzzy Hash: d0fd5f99007a04c84a4b8cce3ca64eba36a171188d5456d3b0515d5817276e13
                                                                                    • Instruction Fuzzy Hash: B0618F34740215CFDB14DB78C458BAE7BB6AF89704F2090A9E406EB7A1CB759C41CBA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02E76CD6 Relevance: .1, Instructions: 136COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d6ac07bbf1d4a1b53e5748ab393ba2bb1157aa3fac4750aae1eaabff4f555b54
                                                                                    • Instruction ID: 7e5729e0ff6b1fc667141ae3294d064ac58f51830849347651c19dcdea8fa635
                                                                                    • Opcode Fuzzy Hash: d6ac07bbf1d4a1b53e5748ab393ba2bb1157aa3fac4750aae1eaabff4f555b54
                                                                                    • Instruction Fuzzy Hash: 8B512370D106188FEB14DFAAC884BDDBBB5FF49318F14812AE815AB354D774A844CFA5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02E76CE0 Relevance: .1, Instructions: 132COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e44c10a7434d7e8b69da98e43a25e2f151cd361649ec578700fc34cd0c05016a
                                                                                    • Instruction ID: b74b06fc076b3b45bb6888cbfd8a7f36f173abca18f5500fe930f3e82d0a5772
                                                                                    • Opcode Fuzzy Hash: e44c10a7434d7e8b69da98e43a25e2f151cd361649ec578700fc34cd0c05016a
                                                                                    • Instruction Fuzzy Hash: AB512370D106188FEB18DFAAC884B9DBBF5FF48718F14912AE815AB350D774A844CFA5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02E71128 Relevance: .1, Instructions: 120COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 571e52d8cfa878bff8b6c5b6b6d5cc9754b7c9b893e3987301090f0aa7684ec5
                                                                                    • Instruction ID: 42636a53ce8fb3d6c0d3eb66535f8f106ab665b330e2bd7b5c008a5b5ddfe010
                                                                                    • Opcode Fuzzy Hash: 571e52d8cfa878bff8b6c5b6b6d5cc9754b7c9b893e3987301090f0aa7684ec5
                                                                                    • Instruction Fuzzy Hash: 0A51567161134ADFC746FF28F8F09A93B73FB963043148976D2458B26EDA706926CB42
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02E71138 Relevance: .1, Instructions: 112COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 445670068d637412e265b5dcc110428970f04da70a9775234524530f0272c3f3
                                                                                    • Instruction ID: 4644ed100c62e37b09f0e7a474d5ba4578c84cddf53a11117d2e2c54b0cefa30
                                                                                    • Opcode Fuzzy Hash: 445670068d637412e265b5dcc110428970f04da70a9775234524530f0272c3f3
                                                                                    • Instruction Fuzzy Hash: 1D51647171234EDFC746FF28F8A09A93B73FB963003148976D2054B26EDA706925CB82
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02E77D81 Relevance: .1, Instructions: 95COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6ba29a3c6a62595605fa960ad7d7019693a6dcb5acfff0ac7e905984d25bfed7
                                                                                    • Instruction ID: 18e8b8a2f5fa58b99fbac494324e712115400102cdef458541a6af9ccb3e54a4
                                                                                    • Opcode Fuzzy Hash: 6ba29a3c6a62595605fa960ad7d7019693a6dcb5acfff0ac7e905984d25bfed7
                                                                                    • Instruction Fuzzy Hash: 58316E30E40259CBDB25CFA9C8957EEF7B2EF86304F209569E902EB250D7719C42CB51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02E77D90 Relevance: .1, Instructions: 95COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0afce9cbd25d622cd1cadbd6b3b3a900d3dad879b446e1b0684fe58ab530acaa
                                                                                    • Instruction ID: 64329872febcbb7eb70506331e6753d47453783ae18773e087b21c9f859c3e8a
                                                                                    • Opcode Fuzzy Hash: 0afce9cbd25d622cd1cadbd6b3b3a900d3dad879b446e1b0684fe58ab530acaa
                                                                                    • Instruction Fuzzy Hash: FF314F31E40219DBDB15CFA9D8507AEF7B2FF86304F10952AE906EB240EB719D42CB51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02E726DC Relevance: .1, Instructions: 93COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 15fa4b434d2a460f99a1a569e7a0261718e06bc07f15cd745db846e83aaaec62
                                                                                    • Instruction ID: 3976dafc04482297b914db3056352ffd663ace3b27880b24b50fcd35b686717e
                                                                                    • Opcode Fuzzy Hash: 15fa4b434d2a460f99a1a569e7a0261718e06bc07f15cd745db846e83aaaec62
                                                                                    • Instruction Fuzzy Hash: B941DCB5D00349DFEB10CFA9C584ADEBBB5FF48314F24802AE909AB254DB759946CB90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02E726E8 Relevance: .1, Instructions: 90COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ba1f9efa7bec9e80013fc733bfd561d7f94392c2f34ba98fc0cf71ac4fa3122b
                                                                                    • Instruction ID: e805068fce848b6025232a3dcea6b4224455c73dc9b9ad9960268795147b5921
                                                                                    • Opcode Fuzzy Hash: ba1f9efa7bec9e80013fc733bfd561d7f94392c2f34ba98fc0cf71ac4fa3122b
                                                                                    • Instruction Fuzzy Hash: BA41EEB5D00349DFEB10CFA9C984ADEBBF5FF48314F148029E809AB254DB75A945CB90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02E7A068 Relevance: .1, Instructions: 84COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a71c30dd3942bce310567a8145984a9edf2a478770d644746c9fd71ba13be68c
                                                                                    • Instruction ID: cdf74b3c1c0b9517c0e431902aa5e8f5d4a4bf314cb12418ba087d9ca2d0af41
                                                                                    • Opcode Fuzzy Hash: a71c30dd3942bce310567a8145984a9edf2a478770d644746c9fd71ba13be68c
                                                                                    • Instruction Fuzzy Hash: 54315C70E0021A9BDB15CF68D85079EF7B2FF89304F10D62AE905EB355DB719886CB90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02E716A0 Relevance: .1, Instructions: 80COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 391c3825b8da848e01a3ff037db225b97c4986c46348b90978263b4f38ba0873
                                                                                    • Instruction ID: d6f1bdf1d7f3d14e47a9f2e22a3f9d5877335ae52834b12d591909bbbe3881e9
                                                                                    • Opcode Fuzzy Hash: 391c3825b8da848e01a3ff037db225b97c4986c46348b90978263b4f38ba0873
                                                                                    • Instruction Fuzzy Hash: A7212B346403054FEF62EB78E8947693766EF45308F109A26D40ACF256D734D891CB92
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02E7A078 Relevance: .1, Instructions: 78COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 42d83fe45e25829078f73232229894c30713cf71db1c3a7eba4de0a6405e95f9
                                                                                    • Instruction ID: 593a64fe902d63bff996b7e0ec402c79b9fc81710069e1af1913e6bbdc097f2a
                                                                                    • Opcode Fuzzy Hash: 42d83fe45e25829078f73232229894c30713cf71db1c3a7eba4de0a6405e95f9
                                                                                    • Instruction Fuzzy Hash: 78217F70E002099BDB15DF69D85069EF7B2FF89304F10D62AE805FB345DB719886CB90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02E74F88 Relevance: .1, Instructions: 74COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 195004d3b54efa8952e6bf85747b3524f5f312070bace177211025fba404b22b
                                                                                    • Instruction ID: ef26b6dc9847831e00f6175b00c12123c449e5713e3d6c5293a580c9159c97f9
                                                                                    • Opcode Fuzzy Hash: 195004d3b54efa8952e6bf85747b3524f5f312070bace177211025fba404b22b
                                                                                    • Instruction Fuzzy Hash: 40212C34A80204CFDB54EB74D5A9BAD77F2EB4D308B118468E906EB3A5DB319D01CB91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02E79F68 Relevance: .1, Instructions: 74COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 94a9ff449e5b431a355b31ca78e00de8020f9a5fa20cf0f1fc7f166df593c8b1
                                                                                    • Instruction ID: 314f74a0bfa2fb757f56898d95086881f25530f1145d49b601158ea72b7ceac2
                                                                                    • Opcode Fuzzy Hash: 94a9ff449e5b431a355b31ca78e00de8020f9a5fa20cf0f1fc7f166df593c8b1
                                                                                    • Instruction Fuzzy Hash: 26217F30E402199BDB19CF64C46069EFBB2FF89314F10CA2AE816FB351EB709846CB50
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02E71382 Relevance: .1, Instructions: 72COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 331d930c3cd626ae69c249ff6ef995e6cf5b565de65cdd4821daf98ead9df21e
                                                                                    • Instruction ID: f8d7a340aed77f129d871437f2d3d1c45326cfcd69542b7200e059f2ccf9df7d
                                                                                    • Opcode Fuzzy Hash: 331d930c3cd626ae69c249ff6ef995e6cf5b565de65cdd4821daf98ead9df21e
                                                                                    • Instruction Fuzzy Hash: C721C630AC03419BDF315679E09837D3766EB06319F61587AD44ACF786D729C886C742
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02BFD030 Relevance: .1, Instructions: 72COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2558966395.0000000002BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BFD000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2bfd000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: cb3710405cdd789dc6485154a8ab60c06314f603ab2970078a9c4eda51c088fa
                                                                                    • Instruction ID: 5f53d85e2a8f9f95a128fc3446e8a1435ea2324c1c886f21c0823472fe1ae6ef
                                                                                    • Opcode Fuzzy Hash: cb3710405cdd789dc6485154a8ab60c06314f603ab2970078a9c4eda51c088fa
                                                                                    • Instruction Fuzzy Hash: 97213471604344DFDB54DF20D9D0B26BBA5FB84314F24C6ADEA0A4B692C736D84BCA62
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02E71888 Relevance: .1, Instructions: 70COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a2a7dbd6a661e7660ec94e0a7f9cc5c64417047e5f1b8bf6201e459fefb9aa34
                                                                                    • Instruction ID: 3729c0301ce99840c60a2ffad693ebe35cb8ec3b70d27964c38630dd1c6268b4
                                                                                    • Opcode Fuzzy Hash: a2a7dbd6a661e7660ec94e0a7f9cc5c64417047e5f1b8bf6201e459fefb9aa34
                                                                                    • Instruction Fuzzy Hash: 0D213930B40309CFEB14EB64C554BAE77F6AB49249F204468D50AEF294DB329D41CBA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02E71879 Relevance: .1, Instructions: 70COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b14f9e0abfc1f118118c61b075d421478c74cdae634b195a8b7c67f8d54adca2
                                                                                    • Instruction ID: 8b799aab731f8bb9ed4ac67dbfde112b14e1a2986107ecf40a5ee4f16af7bb17
                                                                                    • Opcode Fuzzy Hash: b14f9e0abfc1f118118c61b075d421478c74cdae634b195a8b7c67f8d54adca2
                                                                                    • Instruction Fuzzy Hash: 07214830B40345CFEB14EB74C564BEE77B6AB49349F204468D50AEB294DB368D01DBA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02E79F78 Relevance: .1, Instructions: 70COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0957db84bb2cc1e1dbf1efa710c78399c9ec97f1cecfbba773aef1137f3c399d
                                                                                    • Instruction ID: 4744e3733d6f04a147f97b3b2c8766ac262f6074e2ac4fc6547de2f3607081ac
                                                                                    • Opcode Fuzzy Hash: 0957db84bb2cc1e1dbf1efa710c78399c9ec97f1cecfbba773aef1137f3c399d
                                                                                    • Instruction Fuzzy Hash: 3C215E30E002199BDB19CF65C4506AEF7B2BF89314F10C62AE916FB351EB70A845CB91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02E716B0 Relevance: .1, Instructions: 69COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7a3ef40c6a667569ccc857faa753723558c55d6c98ac9e478942c417e730eb64
                                                                                    • Instruction ID: 2db5a6598cf848b7cff0e58150d65acceef9546dd22b2f51de00c14da9cb3350
                                                                                    • Opcode Fuzzy Hash: 7a3ef40c6a667569ccc857faa753723558c55d6c98ac9e478942c417e730eb64
                                                                                    • Instruction Fuzzy Hash: 3B21D6386403058BEF61FB68E89476D3767EF45309F209A32D40ACF259DB34DC918BA2
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02BFD006 Relevance: .1, Instructions: 69COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2558966395.0000000002BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BFD000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2bfd000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d4535e63e495398bac1f939d72c231ceed3de95a901d58979aa4f3a792f3fc6d
                                                                                    • Instruction ID: 23319f5e91f64f974fe6b0615bc7ac557a96ed17c65e35baa7fdb122b0d60a28
                                                                                    • Opcode Fuzzy Hash: d4535e63e495398bac1f939d72c231ceed3de95a901d58979aa4f3a792f3fc6d
                                                                                    • Instruction Fuzzy Hash: 20215C715093C09FCB03CF24D9A4711BF71EB46214F2985DBD9898B6A7C33A984ACB62
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02E74F98 Relevance: .1, Instructions: 68COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c43d77c177491342235e2be079cfd4e1770e250f98c054fa20eb77abc01cbb0a
                                                                                    • Instruction ID: 761193890b9ae0d6ff7bf935ffed7d9cb37e73adcadb909abc6183b97aca4ec0
                                                                                    • Opcode Fuzzy Hash: c43d77c177491342235e2be079cfd4e1770e250f98c054fa20eb77abc01cbb0a
                                                                                    • Instruction Fuzzy Hash: AB21FA34B40208CFDB54EB78D598BAD77F2EB89708B119568E506EB3A5DB329D00CB91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02E717C0 Relevance: .1, Instructions: 67COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3c2bdac10a76dad218a1d208181d52c3aa2bb66615df162b8cb5279cc37a4d87
                                                                                    • Instruction ID: 12fc37572b6d7da5ca7fbaab4cf710672cd9f0e391c2d13f234820a6dd2413fe
                                                                                    • Opcode Fuzzy Hash: 3c2bdac10a76dad218a1d208181d52c3aa2bb66615df162b8cb5279cc37a4d87
                                                                                    • Instruction Fuzzy Hash: A7113331B803419FCB20ABB9A8446AE3FF5FF89265B140875D449CB202E73488128791
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02E70848 Relevance: .1, Instructions: 62COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3049b6c2f15741ce48994fe221b77c25f3892bb1c9733d09cd7bc05f50a14950
                                                                                    • Instruction ID: 85f3404fb54be18648d8568626efca1d945f0b8ac791f934dbb9b6943eff408d
                                                                                    • Opcode Fuzzy Hash: 3049b6c2f15741ce48994fe221b77c25f3892bb1c9733d09cd7bc05f50a14950
                                                                                    • Instruction Fuzzy Hash: AE118630B802098BFF64EB79D85476A7356FB85218F20D97AD046DF254DB31DC868BC1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02E70838 Relevance: .1, Instructions: 61COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f0332af9e862874eb5c0e0edbfe9015d6c8155f87bd2e5e51a0fde2efa88a029
                                                                                    • Instruction ID: 0eba04ce591885c34e36ec7322923fc8906bd2e2eb9ac87317b647a0bbcf4395
                                                                                    • Opcode Fuzzy Hash: f0332af9e862874eb5c0e0edbfe9015d6c8155f87bd2e5e51a0fde2efa88a029
                                                                                    • Instruction Fuzzy Hash: 04110630B802058BFF6197B9D81436A3365EB85218F24D97BD446DF681DB34C9468BC2
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02E7148A Relevance: .1, Instructions: 59COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 59173408d11c96cbef6c4d885e27cefc6e9240a10a858b06df497ebdd3a87347
                                                                                    • Instruction ID: 28aa3be7acb67acd40fef8941119bd1968589bc4f29cbe69a7ba484bf4632633
                                                                                    • Opcode Fuzzy Hash: 59173408d11c96cbef6c4d885e27cefc6e9240a10a858b06df497ebdd3a87347
                                                                                    • Instruction Fuzzy Hash: 31119E31A412518FCF25EFBD84902EEBBF6AF88224F149479D449EB201E735D843CB90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02E71498 Relevance: .1, Instructions: 53COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 771a515c4d4b7d5bc10cba758a361f82781cdca560eecbe35401f3bea2bee1dd
                                                                                    • Instruction ID: ef996877e008e4f82cd410b397acf2d1a40ccb14c4195b44de1c3e872eba1c03
                                                                                    • Opcode Fuzzy Hash: 771a515c4d4b7d5bc10cba758a361f82781cdca560eecbe35401f3bea2bee1dd
                                                                                    • Instruction Fuzzy Hash: 86014031A413159FCF25EFB984502AEBBF6EB48264B149479E409EB300E775D842CF95
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02E78F08 Relevance: .0, Instructions: 39COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: adefdfb8d8cfe30b0bcf49907755267d48b0a535c53613f93c9f70b852170f13
                                                                                    • Instruction ID: 96aff78ac263e0d64206f3d210ae5df16f3b38c8d359a46b7446c92015ad7968
                                                                                    • Opcode Fuzzy Hash: adefdfb8d8cfe30b0bcf49907755267d48b0a535c53613f93c9f70b852170f13
                                                                                    • Instruction Fuzzy Hash: 3301A770900209DFCB81EF74F9A05DC7BB2FF45700F5046AEC0009B255DB315E159B91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02E71524 Relevance: .0, Instructions: 36COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 83ca2bc9b0ef8a3dafab9d64bac0d2bece4c94f0a6c0832ecf9a8bcb270c19d3
                                                                                    • Instruction ID: 72131f92f578782973f7a0eedb8d9290f2ab4928126e6afbd2d63ca88366012c
                                                                                    • Opcode Fuzzy Hash: 83ca2bc9b0ef8a3dafab9d64bac0d2bece4c94f0a6c0832ecf9a8bcb270c19d3
                                                                                    • Instruction Fuzzy Hash: 89F02B33A84350CFC7269BE498901ACBFB1EA84225B18A0EBE84ADF201D335D442CB11
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02E77EA8 Relevance: .0, Instructions: 34COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f80dc07fd0bab18be30645ef5405efdf4df427992c19f4b740cadc76725ef2af
                                                                                    • Instruction ID: 5f8347d5c5c7683b9e8dec40e2b7cb1f61d58f04da4e64a3d40d1adaa45631d1
                                                                                    • Opcode Fuzzy Hash: f80dc07fd0bab18be30645ef5405efdf4df427992c19f4b740cadc76725ef2af
                                                                                    • Instruction Fuzzy Hash: 1CF0C435B40218CFD704EBA8D5A8B6C77B2EF88715F6444A8E5069B3A0DB75AD42CF40
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02E78F18 Relevance: .0, Instructions: 33COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 695b39e0102ab36fde2fdd82afeefcbe79c6f80fb153f0d7ff171b70f6f6eb4e
                                                                                    • Instruction ID: c75538a6d7c7e42f44faa66467ded3a711909f85650da5626bbc68cba9d39a99
                                                                                    • Opcode Fuzzy Hash: 695b39e0102ab36fde2fdd82afeefcbe79c6f80fb153f0d7ff171b70f6f6eb4e
                                                                                    • Instruction Fuzzy Hash: 49F04F74A0020DAFDB81FFA8F96099D7BB2FF44700F50866DC0059B255EF316E189B92
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02E76BF0 Relevance: .0, Instructions: 29COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2559613435.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_2e70000_FVN001-230824.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 14bcd53ece3832025caeb05ea420dfd65f7093d7c09891b5b1505303ffe41197
                                                                                    • Instruction ID: 535b7c123316299f48feba809f5703965713f32f7b9ebb344ada16df03dda284
                                                                                    • Opcode Fuzzy Hash: 14bcd53ece3832025caeb05ea420dfd65f7093d7c09891b5b1505303ffe41197
                                                                                    • Instruction Fuzzy Hash: F5F0E572798690CFC706DB38A4D8495BFB5EB8722931805DED14587106CA225446CB80
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%