Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
OKJ2402PRT000025.PDF.scr.exe

Overview

General Information

Sample name:OKJ2402PRT000025.PDF.scr.exe
Analysis ID:1430323
MD5:699b4ee5b2ca5887e48214ff1528e25d
SHA1:ac35dfe4cdabbb884eabe1c36e990b4fe3edab37
SHA256:c9495cc11ac18b285ddfe9c82c76d789a5caa7179f7500cc5e6ec7d659ca8c54
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • OKJ2402PRT000025.PDF.scr.exe (PID: 5088 cmdline: "C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe" MD5: 699B4EE5B2CA5887E48214FF1528E25D)
    • OKJ2402PRT000025.PDF.scr.exe (PID: 6656 cmdline: "C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe" MD5: 699B4EE5B2CA5887E48214FF1528E25D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "us2.smtp.mailhostbox.com", "Username": "prince@wmlimternational.com", "Password": "WiYR)pU7"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.3312450936.000000000296A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.3312450936.000000000293E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000003.00000002.3310408546.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000003.00000002.3310408546.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.2142292089.0000000004F27000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.OKJ2402PRT000025.PDF.scr.exe.4f274a8.9.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.OKJ2402PRT000025.PDF.scr.exe.4f274a8.9.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.OKJ2402PRT000025.PDF.scr.exe.4f274a8.9.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x3163b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x316ad:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x31737:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x317c9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x31833:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x318a5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x3193b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x319cb:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 10 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 208.91.199.224, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe, Initiated: true, ProcessId: 6656, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49704

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "us2.smtp.mailhostbox.com", "Username": "prince@wmlimternational.com", "Password": "WiYR)pU7"}
                    Multi AV Scanner detection for submitted file
                    Source: OKJ2402PRT000025.PDF.scr.exeReversingLabs: Detection: 60%
                    Machine Learning detection for sample
                    Source: OKJ2402PRT000025.PDF.scr.exeJoe Sandbox ML: detected
                    Source: OKJ2402PRT000025.PDF.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: OKJ2402PRT000025.PDF.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 4x nop then jmp 075DFE07h0_2_075DF711
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 4x nop then jmp 075DFE07h0_2_075DF870
                    Source: global trafficTCP traffic: 192.168.2.6:49704 -> 208.91.199.224:587
                    Source: Joe Sandbox ViewIP Address: 208.91.199.224 208.91.199.224
                    Source: global trafficTCP traffic: 192.168.2.6:49704 -> 208.91.199.224:587
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownDNS traffic detected: queries for: us2.smtp.mailhostbox.com
                    Source: OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3310849822.0000000000C55000.00000004.00000020.00020000.00000000.sdmp, OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3312450936.000000000293E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3310849822.0000000000C55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3310849822.0000000000C55000.00000004.00000020.00020000.00000000.sdmp, OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3312450936.000000000293E000.00000004.00000800.00020000.00000000.sdmp, OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3317255897.00000000063E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                    Source: OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3310849822.0000000000C55000.00000004.00000020.00020000.00000000.sdmp, OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3312450936.000000000293E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3310849822.0000000000C55000.00000004.00000020.00020000.00000000.sdmp, OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3312450936.000000000293E000.00000004.00000800.00020000.00000000.sdmp, OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3317255897.00000000063E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0A
                    Source: OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3312450936.000000000293E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                    Source: OKJ2402PRT000025.PDF.scr.exe, 00000000.00000002.2142292089.0000000004F27000.00000004.00000800.00020000.00000000.sdmp, OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3310408546.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3310849822.0000000000C55000.00000004.00000020.00020000.00000000.sdmp, OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3312450936.000000000293E000.00000004.00000800.00020000.00000000.sdmp, OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3317255897.00000000063E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.raw.unpack, 7KG.cs.Net Code: _1Sqy9

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f274a8.9.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 3.2.OKJ2402PRT000025.PDF.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f274a8.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: OKJ2402PRT000025.PDF.scr.exe, Form4.csLarge array initialization: : array initializer size 622173
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.321a0a8.5.raw.unpack, HomeView.csLarge array initialization: : array initializer size 33604
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.5610000.12.raw.unpack, HomeView.csLarge array initialization: : array initializer size 33604
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: OKJ2402PRT000025.PDF.scr.exe
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_0140D7CC0_2_0140D7CC
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_02FD05180_2_02FD0518
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_02FD05080_2_02FD0508
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_0560F6E80_2_0560F6E8
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_0560A9700_2_0560A970
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_0560A0E80_2_0560A0E8
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_0560F3D00_2_0560F3D0
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_0560B3D80_2_0560B3D8
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_0560C2880_2_0560C288
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_056095C80_2_056095C8
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_056095D80_2_056095D8
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_0560E58A0_2_0560E58A
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_0560DFE00_2_0560DFE0
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_0560DFD20_2_0560DFD2
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_0560AE290_2_0560AE29
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_0560AE380_2_0560AE38
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_0560F6D80_2_0560F6D8
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_0560A9610_2_0560A961
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_0560D1280_2_0560D128
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_0560D1180_2_0560D118
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_0560C19E0_2_0560C19E
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_0560A0500_2_0560A050
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_0560E3410_2_0560E341
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_0560E3500_2_0560E350
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_0560F3C00_2_0560F3C0
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_0560B3C80_2_0560B3C8
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_075DA6C80_2_075DA6C8
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_075DAF380_2_075DAF38
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_075DAF280_2_075DAF28
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_075DCFE00_2_075DCFE0
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_075D1EC00_2_075D1EC0
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_075D1EB00_2_075D1EB0
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_075DAB000_2_075DAB00
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_075D7B380_2_075D7B38
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_075D0BA00_2_075D0BA0
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_075DCAD00_2_075DCAD0
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_075DAAF00_2_075DAAF0
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 3_2_026F93783_2_026F9378
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 3_2_026F4A983_2_026F4A98
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 3_2_026F3E803_2_026F3E80
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 3_2_026FCDC03_2_026FCDC0
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 3_2_026F9DDD3_2_026F9DDD
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 3_2_026F41C83_2_026F41C8
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 3_2_05DBBCA03_2_05DBBCA0
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 3_2_05DBDC553_2_05DBDC55
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 3_2_05DB8C063_2_05DB8C06
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 3_2_05DB2EF83_2_05DB2EF8
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 3_2_05DB3EF83_2_05DB3EF8
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 3_2_05DB56983_2_05DB5698
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 3_2_05DB00403_2_05DB0040
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 3_2_05DB9A983_2_05DB9A98
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 3_2_05DB4FB83_2_05DB4FB8
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 3_2_05DB36083_2_05DB3608
                    Source: OKJ2402PRT000025.PDF.scr.exe, 00000000.00000002.2144153746.0000000005610000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs OKJ2402PRT000025.PDF.scr.exe
                    Source: OKJ2402PRT000025.PDF.scr.exe, 00000000.00000002.2140529351.000000000126E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs OKJ2402PRT000025.PDF.scr.exe
                    Source: OKJ2402PRT000025.PDF.scr.exe, 00000000.00000002.2145628633.000000000B5C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs OKJ2402PRT000025.PDF.scr.exe
                    Source: OKJ2402PRT000025.PDF.scr.exe, 00000000.00000002.2141269562.000000000346C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamea4fc95b8-6cda-4231-99a4-d3be09dde129.exe4 vs OKJ2402PRT000025.PDF.scr.exe
                    Source: OKJ2402PRT000025.PDF.scr.exe, 00000000.00000002.2142292089.0000000004BCE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs OKJ2402PRT000025.PDF.scr.exe
                    Source: OKJ2402PRT000025.PDF.scr.exe, 00000000.00000002.2142292089.0000000004F27000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamea4fc95b8-6cda-4231-99a4-d3be09dde129.exe4 vs OKJ2402PRT000025.PDF.scr.exe
                    Source: OKJ2402PRT000025.PDF.scr.exe, 00000000.00000002.2141269562.00000000031F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs OKJ2402PRT000025.PDF.scr.exe
                    Source: OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3310652271.0000000000938000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs OKJ2402PRT000025.PDF.scr.exe
                    Source: OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3310408546.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamea4fc95b8-6cda-4231-99a4-d3be09dde129.exe4 vs OKJ2402PRT000025.PDF.scr.exe
                    Source: OKJ2402PRT000025.PDF.scr.exeBinary or memory string: OriginalFilenameIJaI.exeL vs OKJ2402PRT000025.PDF.scr.exe
                    Source: OKJ2402PRT000025.PDF.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f274a8.9.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 3.2.OKJ2402PRT000025.PDF.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f274a8.9.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: OKJ2402PRT000025.PDF.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.raw.unpack, 1UT6pzc0M.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.raw.unpack, DnQOD3M.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.raw.unpack, 01seU.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.raw.unpack, iUDwvr7Gz.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.raw.unpack, XUu2qKyuF6.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.raw.unpack, aZathEIgR.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.raw.unpack, l50VLEll22.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.raw.unpack, l50VLEll22.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, VJnyNfUTwyxOShbVaD.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, ROhxK7GGQweYraqk0s.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, ROhxK7GGQweYraqk0s.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, ROhxK7GGQweYraqk0s.csSecurity API names: _0020.AddAccessRule
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@1/1
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OKJ2402PRT000025.PDF.scr.exe.logJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeMutant created: \Sessions\1\BaseNamedObjects\NLPSTWXecbdPrQGz
                    Source: OKJ2402PRT000025.PDF.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: OKJ2402PRT000025.PDF.scr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: OKJ2402PRT000025.PDF.scr.exeReversingLabs: Detection: 60%
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeFile read: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe:Zone.IdentifierJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe "C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe"
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess created: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe "C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe"
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess created: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe "C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: OKJ2402PRT000025.PDF.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: OKJ2402PRT000025.PDF.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: OKJ2402PRT000025.PDF.scr.exe, Form1.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, ROhxK7GGQweYraqk0s.cs.Net Code: qNr4JmxxcH System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.321a0a8.5.raw.unpack, HomeView.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.5610000.12.raw.unpack, HomeView.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_0140CED8 pushfd ; retf 0_2_0140CED9
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_0560BCD5 pushad ; retf 0_2_0560BCD6
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_0560BCDF pushad ; retf 0_2_0560BCE0
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_075D6742 pushad ; iretd 0_2_075D6744
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_075D677E pushad ; iretd 0_2_075D677F
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_075D676A pushad ; iretd 0_2_075D676B
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_075D67DB pushad ; iretd 0_2_075D67E1
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_075D67C1 pushad ; iretd 0_2_075D67C7
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_075D67FC pushad ; iretd 0_2_075D67FE
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_075D67AD pushad ; iretd 0_2_075D67B3
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_075D2C2A pushfd ; iretd 0_2_075D2C2B
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_075D8BB1 push eax; iretd 0_2_075D8BD5
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeCode function: 0_2_075D6828 pushad ; iretd 0_2_075D6829
                    Source: OKJ2402PRT000025.PDF.scr.exeStatic PE information: section name: .text entropy: 7.875003692297347
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, o9QUNZzGMab5hfsmDG.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pFXMf98hEv', 'kqRMYR8MTX', 'hlUM5thejG', 'QEYMP88qt4', 'GCiMXRBJro', 'i8rMMY3N1U', 'aC3MZl5IFU'
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, OrEIGE23aHaRCRdfxu.csHigh entropy of concatenated method names: 'atbux5txIF', 'kKNuB6hmSs', 'UAWuUj4wnF', 'xsUu2fT9iV', 'YoUuYFHG7M', 'tQ4u5KiTvK', 'k8QuPj34Pd', 'tTLuX8ucKA', 'hlNuMqBhyh', 'nfruZ2ax1k'
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, DrT2sXuUxdTSiTy4Sa.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'YyICgfPLY9', 'Bp2CnWVDd7', 'UtWCz1pqnB', 'tNb6Qvx994', 'M766Vsg29c', 'PjD6CkhHFJ', 'uva66V9l4D', 'YqhtgRcGGHQoF6vicRu'
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, ftCnBqhUFEqBk48DK8.csHigh entropy of concatenated method names: 'dxmiDbQsGb', 'BXhimoTDEo', 'GcMiJfpeXw', 'Q2JixWT4xA', 'KJ2iy82gZw', 'rbwiBqT0Kv', 'q4Tiawfc7V', 'OxAiUudifO', 'TyFi2woM8x', 'DUIi9Kfd5W'
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, ROhxK7GGQweYraqk0s.csHigh entropy of concatenated method names: 'rLJ6sfNaP6', 'M7R6w7temx', 'fs26OkxbwL', 'mQC6u7St4u', 'B5d6RXTT0p', 't956pJsq5j', 'iXO6iDk0tJ', 'qb66GHu5BD', 'CjN6LXwft9', 'i266IlEoZa'
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, bN7av1ns9ssivFyGs4.csHigh entropy of concatenated method names: 'faPMVWAbFS', 'iA8M6q9vv0', 'lFoM4vYYQo', 'jyMMwnsVYC', 'GDPMOWhFAn', 'RuWMRnAkZN', 'GHCMpx5CUC', 'hjUXd5p2SD', 'oowXNvuDgu', 'EL9Xg2FecM'
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, VJnyNfUTwyxOShbVaD.csHigh entropy of concatenated method names: 'LxhOFSnOBp', 'YybOkvH9ea', 'KDQO1gM0OL', 'RNgOc8W0xM', 'diJOerEs2o', 'c2AO8Tdnyk', 'pjmOd2WwxE', 'vYFON47NT1', 'hVJOgSHous', 'F3rOn45Ogt'
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, PwsR084bq7CxP2pdKK.csHigh entropy of concatenated method names: 'LLdViJnyNf', 'wwyVGxOShb', 'K3aVIHaRCR', 'VfxV0u5snQ', 'V74VYATIZZ', 'wo3V5JG4mN', 'dmkOBy7ddY9V4acWox', 'O0LR7etVxMVcv3rtyR', 'DhEVVpjthE', 'IiRV6D7T3Z'
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, STVktiVQ6MhXwwOBQNp.csHigh entropy of concatenated method names: 'LrPMDuZJVe', 'AWOMmUJCOy', 'RQvMJtbJsk', 'FBqMxTOSaw', 'iTgMytFoq7', 'JvKMBFp4Ft', 'sLyMaxZSgv', 'nbLMUGQOcS', 'pcYM2SlH0v', 'LFWM908Sst'
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, lZZHo3AJG4mNl7DIiZ.csHigh entropy of concatenated method names: 'eLOps102do', 'tcfpO0jA9h', 'zwqpRuwAhF', 'L7CpiUF9rw', 'kYQpGo7Udj', 'RxfRekRS46', 'H83R80lRCP', 'r5QRd8tFN9', 'vh9RNtnKvq', 'k6cRgDAyJg'
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, G27Rnp1YJ8quULBYkT.csHigh entropy of concatenated method names: 'ToString', 'e3V5KhbcRj', 'D3W5S646nD', 'TTA5b79Ybb', 'lbp5t1ygLJ', 'icb5ls8rQU', 'rAv53ygMr7', 'Rtk5ETnGel', 'V4B5j95vPX', 'Ue35hY26W6'
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, WQCT5LOZ5bEP2qW0tv.csHigh entropy of concatenated method names: 'Dispose', 'Df1VgKNIu5', 'o92CSquol6', 'urNIIcUk6d', 'P1UVnTdTL9', 'huQVzMLPjb', 'ProcessDialogKey', 'EjSCQRH4cB', 'YImCVkIBWV', 'ET7CCCN7av'
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, GRH4cBgnImkIBWV2T7.csHigh entropy of concatenated method names: 'tnRXAI89KE', 'wPFXS8GsuY', 'ysJXbDA7AX', 'TsPXtfISUe', 'HtBXFCPDXr', 'f32XlqmxUp', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, fGmS2sVV494Lwchdg6I.csHigh entropy of concatenated method names: 'ToString', 'WvRZ6O6UVc', 'BQgZ4ithjV', 'zxhZsZ05Pb', 'vVtZwBbnjG', 'ogrZO80c4p', 'KGYZuiMq7L', 'tD0ZRhS2ep', 'tuEU47ZjTCx0Kk8SGad', 'KTvYZmZBEu3lF5kSeIS'
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, MKxpR4ChftOiJFetac.csHigh entropy of concatenated method names: 'z4bJYhwms', 'FrbxK7ZWb', 'QUaBwwrns', 'yN3a2BcUd', 'kbo2Nc3uW', 'f2r95IWus', 'XARTbWgd1iU01jU8It', 'aF7f8qSGNRpWbX9AeO', 'lnAXtIWts', 'iJ6ZpAttL'
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, SUTdTLN9RuQMLPjb2j.csHigh entropy of concatenated method names: 'sT9XwrovQg', 'zuVXOZQDRG', 'PhQXuKty2T', 'YlJXR4p3Sf', 'vT6XpqgD6r', 'rvMXifnYLx', 'hfDXGihDkY', 'gs2XLdZxr9', 'kSRXIBQRQ6', 'DlQX0LnyUk'
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, c1mLJ2V6Vc0fKfRx1ZD.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wHZZFkmnSD', 'TSYZkQm2VZ', 'DGDZ1KrM3M', 'ILZZchN1SN', 'LKHZe3p4FM', 'HVgZ8BQk1o', 'i5nZd9Isf4'
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, YUbbHycOerA829UXOL.csHigh entropy of concatenated method names: 'pyUPIxUpVn', 'vljP0lE9Ly', 'ToString', 'CmgPwM1ZcA', 'mtUPO75EvK', 'NFePuXSbwu', 'LChPR8w1lJ', 'MiYPp6ssNJ', 'MFWPiilFas', 'FgyPGnCfIi'
                    Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, aj6ydVvaEnRiCZcU1v.csHigh entropy of concatenated method names: 'FBIfUE1luO', 'P4If26sKlV', 'XtAfAaEBnw', 'epifSR16AG', 'MBFftDSsdO', 'z4LflKsHvQ', 'C0bfEN5vnV', 'fs2fjIZP7q', 'L4DfqL6WwV', 'LcefKYwErs'

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Uses an obfuscated file name to hide its real file extension (double extension)
                    Source: Possible double extension: pdf.scrStatic PE information: OKJ2402PRT000025.PDF.scr.exe
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: OKJ2402PRT000025.PDF.scr.exe PID: 5088, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeMemory allocated: 13C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeMemory allocated: 31F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeMemory allocated: 2FF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeMemory allocated: 8DE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeMemory allocated: 9DE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeMemory allocated: 9FD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeMemory allocated: AFD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeMemory allocated: B650000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeMemory allocated: C650000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeMemory allocated: D650000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeMemory allocated: 2690000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeMemory allocated: 28F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeMemory allocated: 2810000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeWindow / User API: threadDelayed 938Jump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeWindow / User API: threadDelayed 4435Jump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 2360Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212Thread sleep time: -99860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 6444Thread sleep count: 938 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 6428Thread sleep count: 4435 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212Thread sleep time: -99734s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212Thread sleep time: -99625s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212Thread sleep time: -99516s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212Thread sleep time: -99406s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212Thread sleep time: -99297s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212Thread sleep time: -99188s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212Thread sleep time: -99063s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212Thread sleep time: -98938s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212Thread sleep time: -98828s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212Thread sleep time: -98719s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212Thread sleep time: -98594s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212Thread sleep time: -98484s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212Thread sleep time: -98375s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212Thread sleep time: -98266s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212Thread sleep time: -98151s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212Thread sleep time: -98047s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212Thread sleep time: -97938s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212Thread sleep time: -97813s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212Thread sleep time: -97703s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212Thread sleep time: -97594s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212Thread sleep time: -97469s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212Thread sleep time: -97360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212Thread sleep time: -97235s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212Thread sleep time: -97110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeThread delayed: delay time: 99860Jump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeThread delayed: delay time: 99734Jump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeThread delayed: delay time: 99625Jump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeThread delayed: delay time: 99516Jump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeThread delayed: delay time: 99406Jump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeThread delayed: delay time: 99297Jump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeThread delayed: delay time: 99188Jump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeThread delayed: delay time: 99063Jump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeThread delayed: delay time: 98938Jump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeThread delayed: delay time: 98828Jump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeThread delayed: delay time: 98719Jump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeThread delayed: delay time: 98594Jump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeThread delayed: delay time: 98484Jump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeThread delayed: delay time: 98375Jump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeThread delayed: delay time: 98266Jump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeThread delayed: delay time: 98151Jump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeThread delayed: delay time: 98047Jump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeThread delayed: delay time: 97938Jump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeThread delayed: delay time: 97813Jump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeThread delayed: delay time: 97703Jump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeThread delayed: delay time: 97594Jump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeThread delayed: delay time: 97469Jump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeThread delayed: delay time: 97360Jump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeThread delayed: delay time: 97235Jump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeThread delayed: delay time: 97110Jump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3310849822.0000000000C55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeMemory written: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeProcess created: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe "C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeQueries volume information: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeQueries volume information: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f274a8.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.OKJ2402PRT000025.PDF.scr.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f274a8.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.3312450936.000000000296A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3312450936.000000000293E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3310408546.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2142292089.0000000004F27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3312450936.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: OKJ2402PRT000025.PDF.scr.exe PID: 5088, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: OKJ2402PRT000025.PDF.scr.exe PID: 6656, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f274a8.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.OKJ2402PRT000025.PDF.scr.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f274a8.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.3310408546.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2142292089.0000000004F27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3312450936.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: OKJ2402PRT000025.PDF.scr.exe PID: 5088, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: OKJ2402PRT000025.PDF.scr.exe PID: 6656, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f274a8.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.OKJ2402PRT000025.PDF.scr.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f274a8.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.3312450936.000000000296A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3312450936.000000000293E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3310408546.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2142292089.0000000004F27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3312450936.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: OKJ2402PRT000025.PDF.scr.exe PID: 5088, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: OKJ2402PRT000025.PDF.scr.exe PID: 6656, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts111
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)13
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		1
                    Query Registry                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS111
                    Security Software Discovery                    		Distributed Component Object Model1
                    Input Capture                    		11
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets1
                    Process Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                    Masquerading                    		Cached Domain Credentials141
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                    Virtualization/Sandbox Evasion                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                    Process Injection                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    OKJ2402PRT000025.PDF.scr.exe61%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                    OKJ2402PRT000025.PDF.scr.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                    http://ocsp.sectigo.com0A0%URL Reputationsafe
                    https://sectigo.com/CPS00%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    us2.smtp.mailhostbox.com
                    		208.91.199.224
                    		truefalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3310849822.0000000000C55000.00000004.00000020.00020000.00000000.sdmp, OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3312450936.000000000293E000.00000004.00000800.00020000.00000000.sdmp, OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3317255897.00000000063E2000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://ocsp.sectigo.com0AOKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3310849822.0000000000C55000.00000004.00000020.00020000.00000000.sdmp, OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3312450936.000000000293E000.00000004.00000800.00020000.00000000.sdmp, OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3317255897.00000000063E2000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://sectigo.com/CPS0OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3310849822.0000000000C55000.00000004.00000020.00020000.00000000.sdmp, OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3312450936.000000000293E000.00000004.00000800.00020000.00000000.sdmp, OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3317255897.00000000063E2000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://account.dyn.com/OKJ2402PRT000025.PDF.scr.exe, 00000000.00000002.2142292089.0000000004F27000.00000004.00000800.00020000.00000000.sdmp, OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3310408546.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                        		high
                        http://us2.smtp.mailhostbox.comOKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3312450936.000000000293E000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          208.91.199.224
                          		us2.smtp.mailhostbox.comUnited States
                          		394695PUBLIC-DOMAIN-REGISTRYUSfalse

                          General Information

                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1430323
                          Start date and time:2024-04-23 14:21:05 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 6m 33s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:8
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:OKJ2402PRT000025.PDF.scr.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@3/1@1/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 99%
                          • Number of executed functions: 108
                          • Number of non-executed functions: 23
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • VT rate limit hit for: OKJ2402PRT000025.PDF.scr.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          14:21:49API Interceptor27x Sleep call for process: OKJ2402PRT000025.PDF.scr.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          208.91.199.224Urgent PO 18-3081 Confirmation.exeGet hashmaliciousAgentTeslaBrowse
                            HDPESDR11OD5606METERS.exeGet hashmaliciousAgentTeslaBrowse
                              HDPESDR1145-6METERS.exeGet hashmaliciousAgentTeslaBrowse
                                TT copy of the first payment.exeGet hashmaliciousAgentTeslaBrowse
                                  rTDN001-180424_PDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                    1iO53raUh69l6nV.exeGet hashmaliciousAgentTeslaBrowse
                                      HmGUCvTQIacWu7Q.exeGet hashmaliciousAgentTeslaBrowse
                                        Payment.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                          Gcerti Quote.exeGet hashmaliciousAgentTeslaBrowse
                                            Syknivkloo.exeGet hashmaliciousAgentTeslaBrowse

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              us2.smtp.mailhostbox.comUrgent PO 18-3081 Confirmation.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.199.224
                                              HDPESDR11OD5606METERS.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.198.143
                                              HDPESDR1145-6METERS.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.199.225
                                              TT copy of the first payment.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.198.143
                                              rTDN001-180424_PDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • 208.91.198.143
                                              1iO53raUh69l6nV.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.199.224
                                              HmGUCvTQIacWu7Q.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.199.223
                                              Payment.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                              • 208.91.198.143
                                              Gcerti Quote.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.198.143
                                              Syknivkloo.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.199.223

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              PUBLIC-DOMAIN-REGISTRYUSPO82100088.exeGet hashmaliciousAgentTeslaBrowse
                                              • 199.79.62.115
                                              BARSYL SHIPPING Co (VIETNAM).exeGet hashmaliciousAgentTeslaBrowse
                                              • 162.215.248.214
                                              Urgent PO 18-3081 Confirmation.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.199.224
                                              72625413524.vbsGet hashmaliciousXWormBrowse
                                              • 116.206.104.215
                                              HDPESDR11OD5606METERS.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.199.224
                                              SecuriteInfo.com.MSIL.Kryptik.AGUH.tr.13955.20631.exeGet hashmaliciousAgentTeslaBrowse
                                              • 162.215.248.214
                                              HDPESDR1145-6METERS.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.199.224
                                              TT copy of the first payment.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.199.224
                                              8xFzJWrEIa.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, RedLine, SmokeLoader, VidarBrowse
                                              • 111.118.215.174
                                              Scan Copy 0092316282.exeGet hashmaliciousAgentTeslaBrowse
                                              • 162.215.248.214

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OKJ2402PRT000025.PDF.scr.exe.log

                                              Download File
                                              Process:C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1216
                                              Entropy (8bit):5.34331486778365
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                              Malicious:false
                                              Reputation:high, very likely benign file
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):7.865188334502124
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                              • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              File name:OKJ2402PRT000025.PDF.scr.exe
                                              File size:722'432 bytes
                                              MD5:699b4ee5b2ca5887e48214ff1528e25d
                                              SHA1:ac35dfe4cdabbb884eabe1c36e990b4fe3edab37
                                              SHA256:c9495cc11ac18b285ddfe9c82c76d789a5caa7179f7500cc5e6ec7d659ca8c54
                                              SHA512:07afcdc98b6bbfce341a97c871f8c004890def6ca19a169401583ae1afedc5b330a6456a43b80a0a3c1c1b9cc2f7a680beda0a2be979a1bd960a187f420b962f
                                              SSDEEP:12288:Do7gHK0cpSDviH6VSx/Q67K4xAgSDGQr0UehDkIb6JjXMjTFg5:ljwQ67K4C9DjrYhD6XoTF
                                              TLSH:4BE41248767E2F16D9BD93B948621C2407B2B07F5222E70B0FC654D72E62B94CE89F53
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....%f................................. ........@.. .......................`............@................................

                                              File Icon

                                              Icon Hash:00928e8e8686b000

                                              Static PE Info

                                              General

                                              Entrypoint:0x4b180e
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x6625F58D [Mon Apr 22 05:28:45 2024 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xb17b80x53.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xb20000x800.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xb40000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000xaf8140xafa00c3b12e93f27c363fe9b7eb75ed1fb19eFalse0.9266890013345196SysEx File - AdamsSmith7.875003692297347IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rsrc0xb20000x8000x800102e71aac0a9ff4ba9ba5c0b9e114638False0.33447265625data3.4156752585994528IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0xb40000xc0x2009a45e7980fab8b902c3334148e80de1aFalse0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_VERSION0xb20900x380data0.43080357142857145
                                              RT_MANIFEST0xb24200x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Network Behavior

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Apr 23, 2024 14:21:57.395396948 CEST49704587192.168.2.6208.91.199.224
                                              Apr 23, 2024 14:21:57.550201893 CEST58749704208.91.199.224192.168.2.6
                                              Apr 23, 2024 14:21:57.550493002 CEST49704587192.168.2.6208.91.199.224
                                              Apr 23, 2024 14:21:58.013722897 CEST58749704208.91.199.224192.168.2.6
                                              Apr 23, 2024 14:21:58.014502048 CEST49704587192.168.2.6208.91.199.224
                                              Apr 23, 2024 14:21:58.168849945 CEST58749704208.91.199.224192.168.2.6
                                              Apr 23, 2024 14:21:58.169173956 CEST58749704208.91.199.224192.168.2.6
                                              Apr 23, 2024 14:21:58.169382095 CEST49704587192.168.2.6208.91.199.224
                                              Apr 23, 2024 14:21:58.324784994 CEST58749704208.91.199.224192.168.2.6
                                              Apr 23, 2024 14:21:58.336895943 CEST49704587192.168.2.6208.91.199.224
                                              Apr 23, 2024 14:21:58.491725922 CEST58749704208.91.199.224192.168.2.6
                                              Apr 23, 2024 14:21:58.491780996 CEST58749704208.91.199.224192.168.2.6
                                              Apr 23, 2024 14:21:58.491817951 CEST58749704208.91.199.224192.168.2.6
                                              Apr 23, 2024 14:21:58.491831064 CEST49704587192.168.2.6208.91.199.224
                                              Apr 23, 2024 14:21:58.491857052 CEST58749704208.91.199.224192.168.2.6
                                              Apr 23, 2024 14:21:58.491935968 CEST49704587192.168.2.6208.91.199.224
                                              Apr 23, 2024 14:21:58.645935059 CEST58749704208.91.199.224192.168.2.6
                                              Apr 23, 2024 14:21:58.685796976 CEST49704587192.168.2.6208.91.199.224
                                              Apr 23, 2024 14:21:58.714442968 CEST49704587192.168.2.6208.91.199.224
                                              Apr 23, 2024 14:21:58.869469881 CEST58749704208.91.199.224192.168.2.6
                                              Apr 23, 2024 14:21:58.887269974 CEST49704587192.168.2.6208.91.199.224
                                              Apr 23, 2024 14:21:59.041811943 CEST58749704208.91.199.224192.168.2.6
                                              Apr 23, 2024 14:21:59.042762995 CEST49704587192.168.2.6208.91.199.224
                                              Apr 23, 2024 14:21:59.200242043 CEST58749704208.91.199.224192.168.2.6
                                              Apr 23, 2024 14:21:59.201600075 CEST49704587192.168.2.6208.91.199.224
                                              Apr 23, 2024 14:21:59.361885071 CEST58749704208.91.199.224192.168.2.6
                                              Apr 23, 2024 14:21:59.363965034 CEST49704587192.168.2.6208.91.199.224
                                              Apr 23, 2024 14:21:59.520335913 CEST58749704208.91.199.224192.168.2.6
                                              Apr 23, 2024 14:21:59.523901939 CEST49704587192.168.2.6208.91.199.224
                                              Apr 23, 2024 14:21:59.703171015 CEST58749704208.91.199.224192.168.2.6
                                              Apr 23, 2024 14:21:59.703402996 CEST49704587192.168.2.6208.91.199.224
                                              Apr 23, 2024 14:21:59.859060049 CEST58749704208.91.199.224192.168.2.6
                                              Apr 23, 2024 14:21:59.859726906 CEST49704587192.168.2.6208.91.199.224
                                              Apr 23, 2024 14:21:59.859805107 CEST49704587192.168.2.6208.91.199.224
                                              Apr 23, 2024 14:21:59.859844923 CEST49704587192.168.2.6208.91.199.224
                                              Apr 23, 2024 14:21:59.859864950 CEST49704587192.168.2.6208.91.199.224
                                              Apr 23, 2024 14:22:00.014085054 CEST58749704208.91.199.224192.168.2.6
                                              Apr 23, 2024 14:22:00.014167070 CEST58749704208.91.199.224192.168.2.6
                                              Apr 23, 2024 14:22:00.154110909 CEST58749704208.91.199.224192.168.2.6
                                              Apr 23, 2024 14:22:00.200444937 CEST49704587192.168.2.6208.91.199.224
                                              Apr 23, 2024 14:23:37.232213974 CEST49704587192.168.2.6208.91.199.224
                                              Apr 23, 2024 14:23:37.386949062 CEST58749704208.91.199.224192.168.2.6
                                              Apr 23, 2024 14:23:37.387411118 CEST58749704208.91.199.224192.168.2.6
                                              Apr 23, 2024 14:23:37.387793064 CEST49704587192.168.2.6208.91.199.224
                                              Apr 23, 2024 14:23:37.391207933 CEST49704587192.168.2.6208.91.199.224

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Apr 23, 2024 14:21:57.213057995 CEST5759253192.168.2.61.1.1.1
                                              Apr 23, 2024 14:21:57.320476055 CEST53575921.1.1.1192.168.2.6

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Apr 23, 2024 14:21:57.213057995 CEST192.168.2.61.1.1.10x76f7Standard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Apr 23, 2024 14:21:57.320476055 CEST1.1.1.1192.168.2.60x76f7No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)false
                                              Apr 23, 2024 14:21:57.320476055 CEST1.1.1.1192.168.2.60x76f7No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)false
                                              Apr 23, 2024 14:21:57.320476055 CEST1.1.1.1192.168.2.60x76f7No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)false
                                              Apr 23, 2024 14:21:57.320476055 CEST1.1.1.1192.168.2.60x76f7No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)false

                                              SMTP Packets

                                              TimestampSource PortDest PortSource IPDest IPCommands
                                              Apr 23, 2024 14:21:58.013722897 CEST58749704208.91.199.224192.168.2.6220 us2.outbound.mailhostbox.com ESMTP Postfix
                                              Apr 23, 2024 14:21:58.014502048 CEST49704587192.168.2.6208.91.199.224EHLO 701188
                                              Apr 23, 2024 14:21:58.169173956 CEST58749704208.91.199.224192.168.2.6250-us2.outbound.mailhostbox.com
                                              250-PIPELINING
                                              250-SIZE 41648128
                                              250-VRFY
                                              250-ETRN
                                              250-STARTTLS
                                              250-AUTH PLAIN LOGIN
                                              250-AUTH=PLAIN LOGIN
                                              250-ENHANCEDSTATUSCODES
                                              250-8BITMIME
                                              250-DSN
                                              250 CHUNKING
                                              Apr 23, 2024 14:21:58.169382095 CEST49704587192.168.2.6208.91.199.224STARTTLS
                                              Apr 23, 2024 14:21:58.324784994 CEST58749704208.91.199.224192.168.2.6220 2.0.0 Ready to start TLS

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:14:21:49
                                              Start date:23/04/2024
                                              Path:C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe"
                                              Imagebase:0xb90000
                                              File size:722'432 bytes
                                              MD5 hash:699B4EE5B2CA5887E48214FF1528E25D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2142292089.0000000004F27000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2142292089.0000000004F27000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:14:21:55
                                              Start date:23/04/2024
                                              Path:C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe"
                                              Imagebase:0x4c0000
                                              File size:722'432 bytes
                                              MD5 hash:699B4EE5B2CA5887E48214FF1528E25D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3312450936.000000000296A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3312450936.000000000293E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3310408546.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3310408546.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3312450936.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3312450936.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:false

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:11.3%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:311
                                                Total number of Limit Nodes:10
                                                execution_graph 44822 140b070 44823 140b07f 44822->44823 44825 140b159 44822->44825 44826 140b19c 44825->44826 44827 140b179 44825->44827 44826->44823 44827->44826 44833 140b3f1 44827->44833 44837 140b400 44827->44837 44828 140b194 44828->44826 44829 140b3a0 GetModuleHandleW 44828->44829 44830 140b3cd 44829->44830 44830->44823 44834 140b400 44833->44834 44836 140b439 44834->44836 44841 140a518 44834->44841 44836->44828 44838 140b414 44837->44838 44839 140b439 44838->44839 44840 140a518 LoadLibraryExW 44838->44840 44839->44828 44840->44839 44842 140b5e0 LoadLibraryExW 44841->44842 44844 140b659 44842->44844 44844->44836 44895 140d800 44896 140d846 GetCurrentProcess 44895->44896 44898 140d898 GetCurrentThread 44896->44898 44902 140d891 44896->44902 44899 140d8d5 GetCurrentProcess 44898->44899 44900 140d8ce 44898->44900 44901 140d90b 44899->44901 44900->44899 44903 140d933 GetCurrentThreadId 44901->44903 44902->44898 44904 140d964 44903->44904 44845 2fd7548 44846 2fd7588 44845->44846 44847 2fd722c 2 API calls 44846->44847 44847->44846 44744 140da48 DuplicateHandle 44745 140dade 44744->44745 44905 5601fa8 44909 5601fc0 44905->44909 44915 5601fd0 44905->44915 44910 5601fca 44909->44910 44911 5602089 44910->44911 44921 5602128 44910->44921 44929 56020fd 44910->44929 44935 5602138 44910->44935 44911->44911 44917 5601ffe 44915->44917 44916 5602089 44916->44916 44917->44916 44918 5602128 4 API calls 44917->44918 44919 5602138 4 API calls 44917->44919 44920 56020fd 2 API calls 44917->44920 44918->44916 44919->44916 44920->44916 44922 5602190 44921->44922 44923 560214a 44921->44923 44922->44911 44923->44922 44943 56021a0 44923->44943 44948 56021b0 44923->44948 44924 5602157 44924->44922 44953 56022e0 SetTimer 44924->44953 44955 56022da 44924->44955 44930 560216c 44929->44930 44931 560210a 44929->44931 44933 56022e0 SetTimer 44930->44933 44934 56022da SetTimer 44930->44934 44931->44911 44932 5602190 44932->44911 44933->44932 44934->44932 44936 5602190 44935->44936 44937 560214a 44935->44937 44936->44911 44937->44936 44939 56021a0 2 API calls 44937->44939 44940 56021b0 2 API calls 44937->44940 44938 5602157 44938->44936 44941 56022e0 SetTimer 44938->44941 44942 56022da SetTimer 44938->44942 44939->44938 44940->44938 44941->44936 44942->44936 44945 56021b0 44943->44945 44944 5602212 44944->44924 44945->44944 44946 2fd0e98 2 API calls 44945->44946 44947 2fd0e87 2 API calls 44945->44947 44946->44944 44947->44944 44949 5602212 44948->44949 44950 56021be 44948->44950 44949->44924 44951 2fd0e98 2 API calls 44950->44951 44952 2fd0e87 2 API calls 44950->44952 44951->44949 44952->44949 44954 560234c 44953->44954 44954->44922 44956 56022e0 SetTimer 44955->44956 44957 560234c 44956->44957 44957->44922 45136 2fd7605 45137 2fd760f 45136->45137 45138 2fd722c 2 API calls 45137->45138 45139 2fd7618 45138->45139 45141 14063c0 2 API calls 45139->45141 45142 14086c8 2 API calls 45139->45142 45140 2fd95a3 45141->45140 45142->45140 44746 2fd7767 44747 2fd7771 44746->44747 44753 2fd722c 44747->44753 44749 2fd777a 44758 14063c0 44749->44758 44762 14086c8 44749->44762 44750 2fd95a3 44754 2fd7237 44753->44754 44755 2fd95a3 44754->44755 44756 14063c0 2 API calls 44754->44756 44757 14086c8 2 API calls 44754->44757 44755->44749 44756->44755 44757->44755 44759 14063cb 44758->44759 44760 14089c9 44759->44760 44766 140d120 44759->44766 44760->44750 44763 14086d8 44762->44763 44764 14089c9 44763->44764 44765 140d120 2 API calls 44763->44765 44764->44750 44765->44764 44767 140d151 44766->44767 44768 140d175 44767->44768 44771 140d2d0 44767->44771 44775 140d2e0 44767->44775 44768->44760 44772 140d2ed 44771->44772 44773 140d327 44772->44773 44779 140bb30 44772->44779 44773->44768 44776 140d2ed 44775->44776 44777 140d327 44776->44777 44778 140bb30 2 API calls 44776->44778 44777->44768 44778->44777 44780 140bb35 44779->44780 44782 140e040 44780->44782 44783 140d4ec 44780->44783 44784 140d4f7 44783->44784 44785 14063c0 2 API calls 44784->44785 44786 140e0af 44785->44786 44790 2fd0040 44786->44790 44796 2fd001e 44786->44796 44787 140e0e9 44787->44782 44792 2fd0171 44790->44792 44793 2fd0071 44790->44793 44791 2fd007d 44791->44787 44792->44787 44793->44791 44802 2fd0e98 44793->44802 44806 2fd0e87 44793->44806 44798 2fd0171 44796->44798 44799 2fd0071 44796->44799 44797 2fd007d 44797->44787 44798->44787 44799->44797 44800 2fd0e98 2 API calls 44799->44800 44801 2fd0e87 2 API calls 44799->44801 44800->44798 44801->44798 44803 2fd0ec3 44802->44803 44804 2fd0f72 44803->44804 44810 2fd1c71 44803->44810 44808 2fd0ec3 44806->44808 44807 2fd0f72 44807->44807 44808->44807 44809 2fd1c71 2 API calls 44808->44809 44809->44807 44814 2fd1dc4 44810->44814 44818 2fd1dd0 44810->44818 44815 2fd1e38 CreateWindowExW 44814->44815 44817 2fd1ef4 44815->44817 44817->44817 44819 2fd1e38 CreateWindowExW 44818->44819 44821 2fd1ef4 44819->44821 44963 75ddb86 44964 75ddc45 44963->44964 44965 75ddb90 44963->44965 44970 75deeee 44965->44970 44987 75dee88 44965->44987 45003 75dee78 44965->45003 44966 75dde0f 44971 75dee7c 44970->44971 44973 75deef1 44970->44973 44972 75deeaa 44971->44972 45019 75df55c 44971->45019 45024 75df762 44971->45024 45029 75df400 44971->45029 45034 75df28a 44971->45034 45038 75df6ea 44971->45038 45043 75df42c 44971->45043 45048 75dfb52 44971->45048 45052 75df596 44971->45052 45056 75df535 44971->45056 45061 75df43a 44971->45061 45065 75df5f9 44971->45065 45070 75df33f 44971->45070 45075 75df37c 44971->45075 44972->44966 44988 75deea2 44987->44988 44989 75deeaa 44988->44989 44990 75df55c 2 API calls 44988->44990 44991 75df37c 2 API calls 44988->44991 44992 75df33f 2 API calls 44988->44992 44993 75df5f9 2 API calls 44988->44993 44994 75df43a 2 API calls 44988->44994 44995 75df535 2 API calls 44988->44995 44996 75df596 2 API calls 44988->44996 44997 75dfb52 2 API calls 44988->44997 44998 75df42c 2 API calls 44988->44998 44999 75df6ea 2 API calls 44988->44999 45000 75df28a 2 API calls 44988->45000 45001 75df400 2 API calls 44988->45001 45002 75df762 2 API calls 44988->45002 44989->44966 44990->44989 44991->44989 44992->44989 44993->44989 44994->44989 44995->44989 44996->44989 44997->44989 44998->44989 44999->44989 45000->44989 45001->44989 45002->44989 45004 75deea2 45003->45004 45005 75deeaa 45004->45005 45006 75df55c 2 API calls 45004->45006 45007 75df37c 2 API calls 45004->45007 45008 75df33f 2 API calls 45004->45008 45009 75df5f9 2 API calls 45004->45009 45010 75df43a 2 API calls 45004->45010 45011 75df535 2 API calls 45004->45011 45012 75df596 2 API calls 45004->45012 45013 75dfb52 2 API calls 45004->45013 45014 75df42c 2 API calls 45004->45014 45015 75df6ea 2 API calls 45004->45015 45016 75df28a 2 API calls 45004->45016 45017 75df400 2 API calls 45004->45017 45018 75df762 2 API calls 45004->45018 45005->44966 45006->45005 45007->45005 45008->45005 45009->45005 45010->45005 45011->45005 45012->45005 45013->45005 45014->45005 45015->45005 45016->45005 45017->45005 45018->45005 45020 75df561 45019->45020 45021 75df5f2 45020->45021 45079 75dcf08 45020->45079 45083 75dcf00 45020->45083 45021->44972 45025 75df768 45024->45025 45087 75dca1a 45025->45087 45091 75dca20 45025->45091 45026 75dfcf6 45030 75df403 45029->45030 45095 75dd4d8 45030->45095 45099 75dd4d0 45030->45099 45031 75dfb0c 45103 75dd754 45034->45103 45107 75dd760 45034->45107 45039 75df555 45038->45039 45041 75dca1a ResumeThread 45039->45041 45042 75dca20 ResumeThread 45039->45042 45040 75dfcf6 45041->45040 45042->45040 45044 75df435 45043->45044 45046 75dd4d8 WriteProcessMemory 45044->45046 45047 75dd4d0 WriteProcessMemory 45044->45047 45045 75df2ec 45045->44972 45046->45045 45047->45045 45050 75dcf08 Wow64SetThreadContext 45048->45050 45051 75dcf00 Wow64SetThreadContext 45048->45051 45049 75dfb6c 45050->45049 45051->45049 45054 75dd4d8 WriteProcessMemory 45052->45054 45055 75dd4d0 WriteProcessMemory 45052->45055 45053 75df3c6 45053->44972 45054->45053 45055->45053 45057 75df555 45056->45057 45059 75dca1a ResumeThread 45057->45059 45060 75dca20 ResumeThread 45057->45060 45058 75dfcf6 45059->45058 45060->45058 45111 75dd5c8 45061->45111 45115 75dd5c0 45061->45115 45062 75df460 45062->44972 45066 75df613 45065->45066 45068 75dca1a ResumeThread 45066->45068 45069 75dca20 ResumeThread 45066->45069 45067 75dfcf6 45068->45067 45069->45067 45071 75df34f 45070->45071 45073 75dd4d8 WriteProcessMemory 45071->45073 45074 75dd4d0 WriteProcessMemory 45071->45074 45072 75dfb0c 45073->45072 45074->45072 45119 75dd418 45075->45119 45123 75dd410 45075->45123 45076 75df39a 45080 75dcf4d Wow64SetThreadContext 45079->45080 45082 75dcf95 45080->45082 45082->45021 45084 75dcf4d Wow64SetThreadContext 45083->45084 45086 75dcf95 45084->45086 45086->45021 45088 75dca60 ResumeThread 45087->45088 45090 75dca91 45088->45090 45090->45026 45092 75dca60 ResumeThread 45091->45092 45094 75dca91 45092->45094 45094->45026 45096 75dd520 WriteProcessMemory 45095->45096 45098 75dd577 45096->45098 45098->45031 45100 75dd520 WriteProcessMemory 45099->45100 45102 75dd577 45100->45102 45102->45031 45104 75dd7e9 CreateProcessA 45103->45104 45106 75dd9ab 45104->45106 45108 75dd7e9 CreateProcessA 45107->45108 45110 75dd9ab 45108->45110 45112 75dd613 ReadProcessMemory 45111->45112 45114 75dd657 45112->45114 45114->45062 45116 75dd613 ReadProcessMemory 45115->45116 45118 75dd657 45116->45118 45118->45062 45120 75dd458 VirtualAllocEx 45119->45120 45122 75dd495 45120->45122 45122->45076 45124 75dd458 VirtualAllocEx 45123->45124 45126 75dd495 45124->45126 45126->45076 45127 2fd7aa1 45128 2fd7abe 45127->45128 45130 14063c0 2 API calls 45128->45130 45131 14086c8 2 API calls 45128->45131 45129 2fd95a3 45130->45129 45131->45129 45132 2fda420 45133 2fda442 45132->45133 45134 14063c0 2 API calls 45132->45134 45135 14086c8 2 API calls 45132->45135 45134->45133 45135->45133 44848 123d01c 44849 123d034 44848->44849 44850 123d08e 44849->44850 44855 2fd1f88 44849->44855 44860 2fd2ce8 44849->44860 44865 2fd2cf8 44849->44865 44870 2fd1f78 44849->44870 44856 2fd1fae 44855->44856 44858 2fd2cf8 2 API calls 44856->44858 44859 2fd2ce8 2 API calls 44856->44859 44857 2fd1fcf 44857->44850 44858->44857 44859->44857 44861 2fd2d25 44860->44861 44862 2fd2d57 44861->44862 44875 5602250 44861->44875 44881 5602260 44861->44881 44866 2fd2d25 44865->44866 44867 2fd2d57 44866->44867 44868 5602260 2 API calls 44866->44868 44869 5602250 2 API calls 44866->44869 44868->44867 44869->44867 44871 2fd1fae 44870->44871 44873 2fd2cf8 2 API calls 44871->44873 44874 2fd2ce8 2 API calls 44871->44874 44872 2fd1fcf 44872->44850 44873->44872 44874->44872 44876 5602260 44875->44876 44877 5602275 44876->44877 44887 2fd4520 44876->44887 44891 2fd44f1 44876->44891 44877->44862 44878 56022a0 44878->44862 44882 560226d 44881->44882 44883 5602275 44882->44883 44885 2fd44f1 CallWindowProcW 44882->44885 44886 2fd4520 CallWindowProcW 44882->44886 44883->44862 44884 56022a0 44884->44862 44885->44884 44886->44884 44888 2fd4562 44887->44888 44890 2fd4569 44887->44890 44889 2fd45ba CallWindowProcW 44888->44889 44888->44890 44889->44890 44890->44878 44892 2fd4562 44891->44892 44893 2fd4569 44891->44893 44892->44893 44894 2fd45ba CallWindowProcW 44892->44894 44893->44878 44894->44893

                                                Executed Functions

                                                Function 0560A961 Relevance: 3.9, Strings: 3, Instructions: 158COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 44 560a961-560a991 46 560a993 44->46 47 560a998-560a9bd 44->47 46->47 48 560a9c4-560a9d0 47->48 49 560a9bf 47->49 50 560a9d3 48->50 49->48 51 560a9da-560a9f6 50->51 52 560a9f8 51->52 53 560a9ff-560aa00 51->53 52->50 54 560ab72-560ab76 52->54 55 560aa05-560aa0b 52->55 56 560aae2-560aaf9 52->56 57 560aa92-560aa99 52->57 58 560ab33-560ab51 52->58 59 560aa55-560aa73 52->59 60 560ab56-560ab6d 52->60 61 560aa28-560aa2c 52->61 62 560aa78-560aa8d 52->62 63 560aafe-560ab08 52->63 53->54 53->55 74 560aa0e call 560ade0 55->74 75 560aa0e call 560add1 55->75 56->51 64 560aaa0-560aadd 57->64 65 560aa9b 57->65 58->51 59->51 60->51 68 560aa2e-560aa3d 61->68 69 560aa3f-560aa46 61->69 62->51 66 560ab0a 63->66 67 560ab0f-560ab2e 63->67 64->51 65->64 66->67 67->51 71 560aa4d-560aa53 68->71 69->71 71->51 72 560aa14-560aa26 72->51 74->72 75->72
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2144114609.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5600000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 7Z/t$RWIK$[[bb
                                                • API String ID: 0-1157992699
                                                • Opcode ID: 348d002610b0025846f57607be2583933306aa5d8a3ac845db5c028ab706bef0
                                                • Instruction ID: ef4d0cf0b06b41ec09eb5ce3ab6d3caf66dcf57ac8300775461538d1ef8b0c27
                                                • Opcode Fuzzy Hash: 348d002610b0025846f57607be2583933306aa5d8a3ac845db5c028ab706bef0
                                                • Instruction Fuzzy Hash: 6A510970E1420A8FCB08CFAAC5416AFFBF2EF88350F15D16AD419A7294D7349A42CF94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0560A970 Relevance: 3.9, Strings: 3, Instructions: 155COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 76 560a970-560a991 77 560a993 76->77 78 560a998-560a9bd 76->78 77->78 79 560a9c4-560a9d0 78->79 80 560a9bf 78->80 81 560a9d3 79->81 80->79 82 560a9da-560a9f6 81->82 83 560a9f8 82->83 84 560a9ff-560aa00 82->84 83->81 85 560ab72-560ab76 83->85 86 560aa05-560aa0b 83->86 87 560aae2-560aaf9 83->87 88 560aa92-560aa99 83->88 89 560ab33-560ab51 83->89 90 560aa55-560aa73 83->90 91 560ab56-560ab6d 83->91 92 560aa28-560aa2c 83->92 93 560aa78-560aa8d 83->93 94 560aafe-560ab08 83->94 84->85 84->86 105 560aa0e call 560ade0 86->105 106 560aa0e call 560add1 86->106 87->82 95 560aaa0-560aadd 88->95 96 560aa9b 88->96 89->82 90->82 91->82 99 560aa2e-560aa3d 92->99 100 560aa3f-560aa46 92->100 93->82 97 560ab0a 94->97 98 560ab0f-560ab2e 94->98 95->82 96->95 97->98 98->82 102 560aa4d-560aa53 99->102 100->102 102->82 103 560aa14-560aa26 103->82 105->103 106->103
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2144114609.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5600000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 7Z/t$RWIK$[[bb
                                                • API String ID: 0-1157992699
                                                • Opcode ID: f6179fe1c0d1f0608c51a1ff345abb70f22adaaaa6ffc4fce47d2a96b05ad3ae
                                                • Instruction ID: eaabbc0b4737c94af02ecc7ced6fda90696ecb1a4dc3650a9a22ee8782aba58c
                                                • Opcode Fuzzy Hash: f6179fe1c0d1f0608c51a1ff345abb70f22adaaaa6ffc4fce47d2a96b05ad3ae
                                                • Instruction Fuzzy Hash: 9D51F970E146099FCB08CFAAC5416AFFBF2EF88350F14E56AD419A7294D7349A42CF94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0560C19E Relevance: 1.6, Strings: 1, Instructions: 358COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 611 560c19e-560c1b9 612 560c1bd-560c1ff 611->612 613 560c204 612->613 613->612 614 560c206-560c244 613->614 614->613 615 560c246-560c2ad 614->615 616 560c2b4-560c2f0 615->616 617 560c2af 615->617 687 560c2f2 call 560c8c8 616->687 688 560c2f2 call 560c8b8 616->688 617->616 619 560c2f8 620 560c2ff-560c31b 619->620 621 560c324-560c325 620->621 622 560c31d 620->622 627 560c32a-560c341 621->627 631 560c6b4-560c6c7 621->631 622->619 623 560c623-560c630 622->623 624 560c3a7-560c3b0 622->624 625 560c668-560c67f 622->625 626 560c569-560c575 622->626 622->627 628 560c4ec-560c501 622->628 629 560c5ec-560c5f8 622->629 630 560c370-560c37c 622->630 622->631 632 560c635-560c647 622->632 633 560c536-560c54b 622->633 634 560c401-560c40d 622->634 635 560c343-560c347 622->635 636 560c684-560c688 622->636 637 560c506-560c50a 622->637 638 560c486-560c498 622->638 639 560c5c7-560c5cd 622->639 640 560c4c7-560c4e7 622->640 641 560c64c-560c663 622->641 642 560c550-560c564 622->642 643 560c452-560c45e 622->643 644 560c3dc-560c3fc 622->644 645 560c59d-560c5a9 622->645 646 560c49d-560c4a9 622->646 623->620 663 560c3b2-560c3c1 624->663 664 560c3c3-560c3ca 624->664 625->620 649 560c577 626->649 650 560c57c-560c598 626->650 627->620 628->620 655 560c5fa 629->655 656 560c5ff-560c61e 629->656 661 560c383-560c3a2 630->661 662 560c37e 630->662 632->620 633->620 647 560c414-560c42a 634->647 648 560c40f 634->648 657 560c349-560c358 635->657 658 560c35a-560c361 635->658 665 560c68a-560c699 636->665 666 560c69b-560c6a2 636->666 667 560c50c-560c51b 637->667 668 560c51d-560c524 637->668 638->620 670 560c5d5-560c5e7 639->670 640->620 641->620 642->620 653 560c460 643->653 654 560c465-560c481 643->654 644->620 651 560c5b0-560c5c2 645->651 652 560c5ab 645->652 659 560c4b0-560c4c2 646->659 660 560c4ab 646->660 684 560c431-560c44d 647->684 685 560c42c 647->685 648->647 649->650 650->620 651->620 652->651 653->654 654->620 655->656 656->620 671 560c368-560c36e 657->671 658->671 659->620 660->659 661->620 662->661 673 560c3d1-560c3d7 663->673 664->673 672 560c6a9-560c6af 665->672 666->672 669 560c52b-560c531 667->669 668->669 669->620 670->620 671->620 672->620 673->620 684->620 685->684 687->619 688->619
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2144114609.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5600000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: tIh
                                                • API String ID: 0-443931868
                                                • Opcode ID: a9fe48b660b61d4f1ea2adf034dde520a4b1fe074c72eaa76f62b89c161cbe85
                                                • Instruction ID: 2050367280e2db8bd0b4cd6736d5f71959148d254fd432dbe708908462a8492b
                                                • Opcode Fuzzy Hash: a9fe48b660b61d4f1ea2adf034dde520a4b1fe074c72eaa76f62b89c161cbe85
                                                • Instruction Fuzzy Hash: E6E13A70A1420ADFDB08CFE9C5859AFFBB2FB48310B14E666D411AB694D7349A43CF94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0560C288 Relevance: 1.6, Strings: 1, Instructions: 302COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2144114609.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5600000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: tIh
                                                • API String ID: 0-443931868
                                                • Opcode ID: 3195cac8a9d733c8c2cfc1be56f6bd5ba0a9f311e5495be928f871950ab19759
                                                • Instruction ID: 42a6797d1bc4ad3d252f57fb93e65cc50d772a8670ea1be710ccc82d36f7621d
                                                • Opcode Fuzzy Hash: 3195cac8a9d733c8c2cfc1be56f6bd5ba0a9f311e5495be928f871950ab19759
                                                • Instruction Fuzzy Hash: E6D12870D1421ADFDB08CFD9D5848AEFBB2FF88300B14E66AD415AB254D7349A82CF94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0560A050 Relevance: 1.5, Strings: 1, Instructions: 253COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2144114609.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5600000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: )"
                                                • API String ID: 0-4237191880
                                                • Opcode ID: 79f38fa2004a485359407a917971f22fcc704d2d601632b237ad4503213922b8
                                                • Instruction ID: f99588f9769b06875de150efbd5ebc2acc67a4e82cd45256d8657431d09dfebf
                                                • Opcode Fuzzy Hash: 79f38fa2004a485359407a917971f22fcc704d2d601632b237ad4503213922b8
                                                • Instruction Fuzzy Hash: 11A137B1E012099FCB09CFE9C8816EEFBB2FF89310F54952AD415AB395E7709906CB54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0560A0E8 Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2144114609.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5600000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: )"
                                                • API String ID: 0-4237191880
                                                • Opcode ID: 49bfbe7fd11f1247043785e23ce2a5d221a0d38691a489b9b991fd15b5b2dbce
                                                • Instruction ID: 249cfb52fc183ccbe492e6f2429597f73a1eff31f8c092522b6dac6c860ab395
                                                • Opcode Fuzzy Hash: 49bfbe7fd11f1247043785e23ce2a5d221a0d38691a489b9b991fd15b5b2dbce
                                                • Instruction Fuzzy Hash: 1981C274E002099FDB08CFEAC984AEEBBB2FF89310F24952AD415AB358D7355946CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0560F6E8 Relevance: .2, Instructions: 231COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2144114609.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5600000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8acfe1dd6e7a7cc69b2c48dc43e6c467f04f180bfa3421d9882f982bdaf97db6
                                                • Instruction ID: b41bc307f137e2a9437486e01ea6c466891f28303b76bda0b30ff540748d792b
                                                • Opcode Fuzzy Hash: 8acfe1dd6e7a7cc69b2c48dc43e6c467f04f180bfa3421d9882f982bdaf97db6
                                                • Instruction Fuzzy Hash: F3912C71D15209DFCB18CFA5E580AAEFBB2FF89300F24A41AE416B7268D7349946CF15
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0560F6D8 Relevance: .2, Instructions: 229COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2144114609.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5600000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 964af6c416dfb96096b35ac0940fec184ffaa204eaae47a1b06a0dfb874c3fc1
                                                • Instruction ID: f19da06c63012a04bd12d48f4a2296c0f63e5c15582960f90a3bc0dcb50d17f1
                                                • Opcode Fuzzy Hash: 964af6c416dfb96096b35ac0940fec184ffaa204eaae47a1b06a0dfb874c3fc1
                                                • Instruction Fuzzy Hash: 1F914C71E15209DFCB18CFA5E5809AEFBB2FB89300F24A416E416B7268D7349906CF55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0560F3C0 Relevance: .2, Instructions: 205COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2144114609.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5600000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: acd8fd93eadeb920bcbc34d9fdafd8e48e5122442981869257cde31f4d8d8613
                                                • Instruction ID: 5018564128a3350ce8c518bdf60166d7b3146b5263c5fa2c6dfc55f5dfa45f80
                                                • Opcode Fuzzy Hash: acd8fd93eadeb920bcbc34d9fdafd8e48e5122442981869257cde31f4d8d8613
                                                • Instruction Fuzzy Hash: 66811574E04219DFCB58CFA9C9809AEFBB2FB88310F40A66AD801E7355D7399916CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0560F3D0 Relevance: .2, Instructions: 204COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2144114609.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5600000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4453203ab985b8f1d60f74207e1e9cfba478801a99e909f39f7568e3511f18a7
                                                • Instruction ID: 15cde381c0127e9e2f1f321f4b6b0147f563265cf26d705a869922f78ff56e51
                                                • Opcode Fuzzy Hash: 4453203ab985b8f1d60f74207e1e9cfba478801a99e909f39f7568e3511f18a7
                                                • Instruction Fuzzy Hash: 03813270E04219CFCB48CFA9C9809AEFBB2FB88310F50A62AD801B7255D7399942CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 075D0BA0 Relevance: .1, Instructions: 138COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2145026994.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_75d0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bffa3d3e34eec5c5fdb037222c1d55c1c381be19f3e6276f94d378e421f99942
                                                • Instruction ID: 62d05b9650f708f44e6ffde331d8a5edb8bbcd99b38d775d58067cc418030b8f
                                                • Opcode Fuzzy Hash: bffa3d3e34eec5c5fdb037222c1d55c1c381be19f3e6276f94d378e421f99942
                                                • Instruction Fuzzy Hash: B2514BB0E1520A9FDB14CFAAD4456EEFBF2FF89310F10982AE415A7394D7749A418F90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0560B3C8 Relevance: .1, Instructions: 66COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2144114609.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5600000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d2946717633c0d23798ff2f3a38663b4fc21805dc13d215f5ada86439f5384ba
                                                • Instruction ID: d02df1c3701dd201552fc670c75cdd9a8cc5626ace01fa73b188a00c84dacd21
                                                • Opcode Fuzzy Hash: d2946717633c0d23798ff2f3a38663b4fc21805dc13d215f5ada86439f5384ba
                                                • Instruction Fuzzy Hash: 8621CD71E006588BEB58CF9BD95469EFBF3EFC8310F14C17AD408A6258DB715A45CE90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0560B3D8 Relevance: .1, Instructions: 66COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2144114609.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5600000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0e71faa0233ad8fd67ad096909d1b27e0d3fdf2120d3b13e1069b679e47c4499
                                                • Instruction ID: 2d6e0813a86125803e02adb1437b99da11592ec2571fa58ea6d416bec9918d7e
                                                • Opcode Fuzzy Hash: 0e71faa0233ad8fd67ad096909d1b27e0d3fdf2120d3b13e1069b679e47c4499
                                                • Instruction Fuzzy Hash: E721DA71E006588BEB18CFABD9446DEFBF3EFC8310F14C17AD409A6268DB701A55CA90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 075D7B38 Relevance: .1, Instructions: 58COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2145026994.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_75d0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: eacd92f91e5efcdd04c26c421a0cce5420e671e695015c7bb556bd8e3d72dc46
                                                • Instruction ID: 5ead1a70269ca8754995813113fc82e816ba0dae46f015399c57a7f4070f00fd
                                                • Opcode Fuzzy Hash: eacd92f91e5efcdd04c26c421a0cce5420e671e695015c7bb556bd8e3d72dc46
                                                • Instruction Fuzzy Hash: D021E8B0D056588BEB28CFAAC8557DEFFF6BFC9300F04C46AD40866254DB74094A8F50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 075DF711 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2145026994.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_75d0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 75c63c2103369280d62ccdb81bd60438f907d0f6369bccbe75852e719d03c25e
                                                • Instruction ID: 2faefbc072e4b67566de44b6e53e23a4e6a519beaa3693f9f08dd563deb14d53
                                                • Opcode Fuzzy Hash: 75c63c2103369280d62ccdb81bd60438f907d0f6369bccbe75852e719d03c25e
                                                • Instruction Fuzzy Hash: 92016DB985E258CFDB60DF68E4552E87BB8BF4B351F0455E6941AA2292D7300D84CF01
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 075DF870 Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2145026994.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_75d0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1831a1cbe3869941e4723f3ba6220888061287710d59f4b665efc99f74c50946
                                                • Instruction ID: 5722890bfc0d690fd6b0a3e00ed3db92bb215c0faca040955114ce4c08d7cea8
                                                • Opcode Fuzzy Hash: 1831a1cbe3869941e4723f3ba6220888061287710d59f4b665efc99f74c50946
                                                • Instruction Fuzzy Hash: 35E06DBAD59018CBC770DF98E4914F8B7BCFB4B311F0024A2941FA7252EB305D858E10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0140D7F2 Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 0140D87E
                                                • GetCurrentThread.KERNEL32 ref: 0140D8BB
                                                • GetCurrentProcess.KERNEL32 ref: 0140D8F8
                                                • GetCurrentThreadId.KERNEL32 ref: 0140D951
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2140763858.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1400000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: c7e371790d64ce904778ee3c4eb803d521cddd81f12f133485da5a60f15223bb
                                                • Instruction ID: 910a3f3265e7e507145665756f33e79a7571a7e3c5a01525f73c3670f6d2d41e
                                                • Opcode Fuzzy Hash: c7e371790d64ce904778ee3c4eb803d521cddd81f12f133485da5a60f15223bb
                                                • Instruction Fuzzy Hash: 3E5155B0D0074A8FDB14CFAAC548B9EBBF1BF88318F20845AE519A73A0D7745944CB65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0140D800 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 0140D87E
                                                • GetCurrentThread.KERNEL32 ref: 0140D8BB
                                                • GetCurrentProcess.KERNEL32 ref: 0140D8F8
                                                • GetCurrentThreadId.KERNEL32 ref: 0140D951
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2140763858.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1400000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: cd86296e2713dd2c41826e0d9d930d24f6d0c37c995f566d84764a667b912ff8
                                                • Instruction ID: 7d61012632385d4a579eabd755221613e4f4393d6f4443bceb2ffe4a59501128
                                                • Opcode Fuzzy Hash: cd86296e2713dd2c41826e0d9d930d24f6d0c37c995f566d84764a667b912ff8
                                                • Instruction Fuzzy Hash: 465156B0D0074A8FDB54CFAAC548B9EBBF1FF88314F208469E519A73A0DB745948CB65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 075DD754 Relevance: 1.7, APIs: 1, Instructions: 244processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 409 75dd754-75dd7f5 411 75dd82e-75dd84e 409->411 412 75dd7f7-75dd801 409->412 419 75dd887-75dd8b6 411->419 420 75dd850-75dd85a 411->420 412->411 413 75dd803-75dd805 412->413 414 75dd828-75dd82b 413->414 415 75dd807-75dd811 413->415 414->411 417 75dd815-75dd824 415->417 418 75dd813 415->418 417->417 421 75dd826 417->421 418->417 426 75dd8ef-75dd9a9 CreateProcessA 419->426 427 75dd8b8-75dd8c2 419->427 420->419 422 75dd85c-75dd85e 420->422 421->414 424 75dd881-75dd884 422->424 425 75dd860-75dd86a 422->425 424->419 428 75dd86c 425->428 429 75dd86e-75dd87d 425->429 440 75dd9ab-75dd9b1 426->440 441 75dd9b2-75dda38 426->441 427->426 431 75dd8c4-75dd8c6 427->431 428->429 429->429 430 75dd87f 429->430 430->424 432 75dd8e9-75dd8ec 431->432 433 75dd8c8-75dd8d2 431->433 432->426 435 75dd8d4 433->435 436 75dd8d6-75dd8e5 433->436 435->436 436->436 438 75dd8e7 436->438 438->432 440->441 451 75dda48-75dda4c 441->451 452 75dda3a-75dda3e 441->452 454 75dda5c-75dda60 451->454 455 75dda4e-75dda52 451->455 452->451 453 75dda40 452->453 453->451 457 75dda70-75dda74 454->457 458 75dda62-75dda66 454->458 455->454 456 75dda54 455->456 456->454 459 75dda86-75dda8d 457->459 460 75dda76-75dda7c 457->460 458->457 461 75dda68 458->461 462 75dda8f-75dda9e 459->462 463 75ddaa4 459->463 460->459 461->457 462->463 465 75ddaa5 463->465 465->465
                                                APIs
                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 075DD996
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2145026994.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_75d0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: 34b73b5bc8d893fa24ca807e71fd697f0de60eeead4cf14f24854c32e52d1bd3
                                                • Instruction ID: 1114834bb79f7d2d90e4cf55869a6b94c43f2ac9395125c8f7759c7773b0d56e
                                                • Opcode Fuzzy Hash: 34b73b5bc8d893fa24ca807e71fd697f0de60eeead4cf14f24854c32e52d1bd3
                                                • Instruction Fuzzy Hash: E4A14BB1E0071ADFEB25DF68C9417EDBBB2BF44310F14856AD809A7280DB749985CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 075DD760 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 466 75dd760-75dd7f5 468 75dd82e-75dd84e 466->468 469 75dd7f7-75dd801 466->469 476 75dd887-75dd8b6 468->476 477 75dd850-75dd85a 468->477 469->468 470 75dd803-75dd805 469->470 471 75dd828-75dd82b 470->471 472 75dd807-75dd811 470->472 471->468 474 75dd815-75dd824 472->474 475 75dd813 472->475 474->474 478 75dd826 474->478 475->474 483 75dd8ef-75dd9a9 CreateProcessA 476->483 484 75dd8b8-75dd8c2 476->484 477->476 479 75dd85c-75dd85e 477->479 478->471 481 75dd881-75dd884 479->481 482 75dd860-75dd86a 479->482 481->476 485 75dd86c 482->485 486 75dd86e-75dd87d 482->486 497 75dd9ab-75dd9b1 483->497 498 75dd9b2-75dda38 483->498 484->483 488 75dd8c4-75dd8c6 484->488 485->486 486->486 487 75dd87f 486->487 487->481 489 75dd8e9-75dd8ec 488->489 490 75dd8c8-75dd8d2 488->490 489->483 492 75dd8d4 490->492 493 75dd8d6-75dd8e5 490->493 492->493 493->493 495 75dd8e7 493->495 495->489 497->498 508 75dda48-75dda4c 498->508 509 75dda3a-75dda3e 498->509 511 75dda5c-75dda60 508->511 512 75dda4e-75dda52 508->512 509->508 510 75dda40 509->510 510->508 514 75dda70-75dda74 511->514 515 75dda62-75dda66 511->515 512->511 513 75dda54 512->513 513->511 516 75dda86-75dda8d 514->516 517 75dda76-75dda7c 514->517 515->514 518 75dda68 515->518 519 75dda8f-75dda9e 516->519 520 75ddaa4 516->520 517->516 518->514 519->520 522 75ddaa5 520->522 522->522
                                                APIs
                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 075DD996
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2145026994.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_75d0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: 45fa7eef7532353675393223a4f80bb9bc2cf11f7639be0ea3ce8ad350b797ff
                                                • Instruction ID: 816efeeb8515d380d2a28e2ea49d2bc1d7314a78ce0fcd77c54bcd6ff516a756
                                                • Opcode Fuzzy Hash: 45fa7eef7532353675393223a4f80bb9bc2cf11f7639be0ea3ce8ad350b797ff
                                                • Instruction Fuzzy Hash: 24914BB1E0071ADFEB25DF69C8417EDBBB2BF44310F14816AE809A7280DB749985CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0140B159 Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 523 140b159-140b177 524 140b1a3-140b1a7 523->524 525 140b179-140b186 call 1409ae0 523->525 527 140b1a9-140b1b3 524->527 528 140b1bb-140b1fc 524->528 532 140b188 525->532 533 140b19c 525->533 527->528 534 140b209-140b217 528->534 535 140b1fe-140b206 528->535 581 140b18e call 140b400 532->581 582 140b18e call 140b3f1 532->582 533->524 536 140b219-140b21e 534->536 537 140b23b-140b23d 534->537 535->534 539 140b220-140b227 call 140a4c0 536->539 540 140b229 536->540 542 140b240-140b247 537->542 538 140b194-140b196 538->533 541 140b2d8-140b398 538->541 546 140b22b-140b239 539->546 540->546 574 140b3a0-140b3cb GetModuleHandleW 541->574 575 140b39a-140b39d 541->575 543 140b254-140b25b 542->543 544 140b249-140b251 542->544 547 140b268-140b271 call 140a4d0 543->547 548 140b25d-140b265 543->548 544->543 546->542 554 140b273-140b27b 547->554 555 140b27e-140b283 547->555 548->547 554->555 556 140b2a1-140b2a5 555->556 557 140b285-140b28c 555->557 579 140b2a8 call 140b700 556->579 580 140b2a8 call 140b6d1 556->580 557->556 559 140b28e-140b29e call 140a4e0 call 140a4f0 557->559 559->556 560 140b2ab-140b2ae 563 140b2b0-140b2ce 560->563 564 140b2d1-140b2d7 560->564 563->564 576 140b3d4-140b3e8 574->576 577 140b3cd-140b3d3 574->577 575->574 577->576 579->560 580->560 581->538 582->538
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0140B3BE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2140763858.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1400000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 020874c282dc22b4f60529f9dcc69ce7a2164c5fd3333d8ae30067c8e00013b1
                                                • Instruction ID: f255aa249b9550aa5603b3224fcff3db24649dfd11860e0e9c6c3f99faa1ad56
                                                • Opcode Fuzzy Hash: 020874c282dc22b4f60529f9dcc69ce7a2164c5fd3333d8ae30067c8e00013b1
                                                • Instruction Fuzzy Hash: 8E814374A00B058FD725DF6AC44475ABBF1FF88204F108A2ED48A9BBA0D774E845CB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FD1DC4 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 583 2fd1dc4-2fd1e36 584 2fd1e38-2fd1e3e 583->584 585 2fd1e41-2fd1e48 583->585 584->585 586 2fd1e4a-2fd1e50 585->586 587 2fd1e53-2fd1ef2 CreateWindowExW 585->587 586->587 589 2fd1efb-2fd1f33 587->589 590 2fd1ef4-2fd1efa 587->590 594 2fd1f35-2fd1f38 589->594 595 2fd1f40 589->595 590->589 594->595 596 2fd1f41 595->596 596->596
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02FD1EE2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2141125152.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2fd0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: 39b9b7e64d1234b25c68ab46fec454313a225dabf291e41d77d6689c80da5e48
                                                • Instruction ID: 714470e833a4943649c7fa83d5e518b4cca8f800b37b131fb0b57c1dae87a794
                                                • Opcode Fuzzy Hash: 39b9b7e64d1234b25c68ab46fec454313a225dabf291e41d77d6689c80da5e48
                                                • Instruction Fuzzy Hash: F051E2B5D00349DFDF14CFA9C984ADEBBB2BF48354F24812AE919AB210D7B5A845CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FD1DD0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 597 2fd1dd0-2fd1e36 598 2fd1e38-2fd1e3e 597->598 599 2fd1e41-2fd1e48 597->599 598->599 600 2fd1e4a-2fd1e50 599->600 601 2fd1e53-2fd1ef2 CreateWindowExW 599->601 600->601 603 2fd1efb-2fd1f33 601->603 604 2fd1ef4-2fd1efa 601->604 608 2fd1f35-2fd1f38 603->608 609 2fd1f40 603->609 604->603 608->609 610 2fd1f41 609->610 610->610
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02FD1EE2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2141125152.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2fd0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: 7531c66c02e50afed8a5e994b75264af229825cac8271d6f7c964f83d0498f1a
                                                • Instruction ID: 318631f02f60c07a84d56a62d87edb1e3201d145dd2f23877aeaea0f2876e29d
                                                • Opcode Fuzzy Hash: 7531c66c02e50afed8a5e994b75264af229825cac8271d6f7c964f83d0498f1a
                                                • Instruction Fuzzy Hash: 0841B3B1D00349DFDF14CF99C884ADEBBB6BF48354F24812AE919AB210D7B5A845CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01404A50 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 689 1404a50-1405fa9 CreateActCtxA 692 1405fb2-140600c 689->692 693 1405fab-1405fb1 689->693 700 140601b-140601f 692->700 701 140600e-1406011 692->701 693->692 702 1406030 700->702 703 1406021-140602d 700->703 701->700 705 1406031 702->705 703->702 705->705
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 01405F99
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2140763858.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1400000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 6dffaa7ccf01bd12fc6590fb3f91998fac7e22ffc8f1b7ecea2db0f5c40e6fba
                                                • Instruction ID: f597c5c15ae647d37cb4be6bb0ce43d5a2792bef891f20dd5ab3a4ccf80bf475
                                                • Opcode Fuzzy Hash: 6dffaa7ccf01bd12fc6590fb3f91998fac7e22ffc8f1b7ecea2db0f5c40e6fba
                                                • Instruction Fuzzy Hash: E041E0B0C0071DCBEB25CFAAC944B9EBBB5FF49304F20806AD509AB251DBB56945CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01405EDE Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 706 1405ede-1405fa9 CreateActCtxA 708 1405fb2-140600c 706->708 709 1405fab-1405fb1 706->709 716 140601b-140601f 708->716 717 140600e-1406011 708->717 709->708 718 1406030 716->718 719 1406021-140602d 716->719 717->716 721 1406031 718->721 719->718 721->721
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 01405F99
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2140763858.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1400000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: a3cec547bfcef9d05f7b7537b9da464d4c692b74ccf918f92d7d6fba9fe2d530
                                                • Instruction ID: 02e54068697cd1cf3174f2c3730eaafc5761a0ce398b1cb58394cf5141521b06
                                                • Opcode Fuzzy Hash: a3cec547bfcef9d05f7b7537b9da464d4c692b74ccf918f92d7d6fba9fe2d530
                                                • Instruction Fuzzy Hash: 3F41C1B0C00719CBEB25CFAAC944BDEBBB5BF49304F20816AD509AB251DB755946CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FD4520 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                Download Yara Rule
                                                APIs
                                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 02FD45E1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2141125152.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2fd0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID: CallProcWindow
                                                • String ID:
                                                • API String ID: 2714655100-0
                                                • Opcode ID: f651d44978167ffcb1828fd2bcd2251a14d71d0daa7dc876e0ccb3f406450327
                                                • Instruction ID: fdefc4f98244cb3324a37349068f183ff92156f86a1dff3f744fd2c3de8bcfda
                                                • Opcode Fuzzy Hash: f651d44978167ffcb1828fd2bcd2251a14d71d0daa7dc876e0ccb3f406450327
                                                • Instruction Fuzzy Hash: 554108B5A00309CFDB14CF99C444B9AFBF5FB88354F248499D619A7361D775A841CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 075DD4D0 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 075DD568
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2145026994.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_75d0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: d174b0795242fc7b136b9e96809624f39c02372ede5e3d3c4535faea2d882688
                                                • Instruction ID: 9ab3c4d9b5c6f42c7bca731356494197eb44c75cd5ffb91e4afe5f790f4632bd
                                                • Opcode Fuzzy Hash: d174b0795242fc7b136b9e96809624f39c02372ede5e3d3c4535faea2d882688
                                                • Instruction Fuzzy Hash: 232128B590034A9FDF10CFA9C9857EEBBF1FF48314F10842AE918A7240D7799950CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 075DD4D8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 075DD568
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2145026994.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_75d0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: 94ffde2654bbb42e9c8b68efd1949bd8c9bdf05564b70af6e06e2c0f22fe84a7
                                                • Instruction ID: d5320459eb0844fbcb2f9a2208a93724b0cd7322ce65c25b2fe598e6e1450bbd
                                                • Opcode Fuzzy Hash: 94ffde2654bbb42e9c8b68efd1949bd8c9bdf05564b70af6e06e2c0f22fe84a7
                                                • Instruction Fuzzy Hash: A32127B590034A9FDF10CFA9C881BDEBBF5FF48314F10842AE918A7240D7799950CBA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0140DA40 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0140DACF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2140763858.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1400000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 711f92c0daaa0b06b02fbf6b699f41e3f8f78010dc87c39dc105bbe417412ea5
                                                • Instruction ID: 1b6d97d968aa0b7671ee89f11bf1689a0d37503b42f7b6792a77ef7cb4677f62
                                                • Opcode Fuzzy Hash: 711f92c0daaa0b06b02fbf6b699f41e3f8f78010dc87c39dc105bbe417412ea5
                                                • Instruction Fuzzy Hash: 8521D2B59002099FDB10CFAAD984ADEBBF8FB48324F14801AE918A7350D378A954CF61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 075DCF00 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 075DCF86
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2145026994.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_75d0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: 2843f5abbdab5c6444cd198ec592a628d5c25963d148b28a259d04f99c29c9da
                                                • Instruction ID: 86cb3eef4cde1d1e34ff417351fb78c8fce7a32c26564d9b57bcdbc8c9c347f2
                                                • Opcode Fuzzy Hash: 2843f5abbdab5c6444cd198ec592a628d5c25963d148b28a259d04f99c29c9da
                                                • Instruction Fuzzy Hash: 7F2168B2D0030A8FDB10CFA9C5817EEBBF4BF88324F10842AD519A7240DB789945CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 075DD5C8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 075DD648
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2145026994.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_75d0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: 9534bab8326bb469046a8143bad8ffd263f097f2a33b4d4c3d81932b185a6ffb
                                                • Instruction ID: d548d16a261341f83eda24b42130aae7e6f5f65efee014b8f10a01a278bb9314
                                                • Opcode Fuzzy Hash: 9534bab8326bb469046a8143bad8ffd263f097f2a33b4d4c3d81932b185a6ffb
                                                • Instruction Fuzzy Hash: 9E2128B19003499FDF10CFAAC881BEEBBF5FF48320F10842AE519A7240D7799950CBA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 075DD5C0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 075DD648
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2145026994.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_75d0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: 371786b63644778ac4218b61825cc6df4195c912f41ab460456b1d6cb7ad4749
                                                • Instruction ID: 936c2735241f55f88dbb5325735855d57962aea2ba77551879f678b31f0fa954
                                                • Opcode Fuzzy Hash: 371786b63644778ac4218b61825cc6df4195c912f41ab460456b1d6cb7ad4749
                                                • Instruction Fuzzy Hash: 652136B190034A9FDB10CFA9C981BEEFBF5FF48310F10882AE519A7240C7789910CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 075DCF08 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 075DCF86
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2145026994.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_75d0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: 01486cfc972ef3da9e3a4ce34cc7f37892cd8bab4b3bc10efdbcc43ef5683636
                                                • Instruction ID: 8eb545e1fce56fb3f8f19f89244f76200e6063ed8dca031dcfe152ab3b863d9b
                                                • Opcode Fuzzy Hash: 01486cfc972ef3da9e3a4ce34cc7f37892cd8bab4b3bc10efdbcc43ef5683636
                                                • Instruction Fuzzy Hash: 14211AB190030A9FDB10DFAAC4857EEBBF4BF48714F14842AD519A7240DB789945CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0140DA48 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0140DACF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2140763858.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1400000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: df22b4fc799868c86038b7fcd3e8f4a463b33d285d9a0b7289b7bfec7c3a6fe3
                                                • Instruction ID: dbd542b034962afb3a8b9e7ff0cc57f658316834d8438f6bbd4a92b1db5b3218
                                                • Opcode Fuzzy Hash: df22b4fc799868c86038b7fcd3e8f4a463b33d285d9a0b7289b7bfec7c3a6fe3
                                                • Instruction Fuzzy Hash: DC21C4B5D002499FDB10CF9AD984ADEBFF4FB48324F14841AE918A3350D378A954CF65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0140A518 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0140B439,00000800,00000000,00000000), ref: 0140B64A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2140763858.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1400000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 8244fa8806bb68562ed8ef2c1b47d3f8c4ffaa7709c9c74cf2a05208bc94ae90
                                                • Instruction ID: 42851d8963d0831cfe891c02cdeb641f38130ce98e0448b49f63a44832804fe1
                                                • Opcode Fuzzy Hash: 8244fa8806bb68562ed8ef2c1b47d3f8c4ffaa7709c9c74cf2a05208bc94ae90
                                                • Instruction Fuzzy Hash: 541114BA9003099FDB10CF9AC844B9EFBF4EB48320F10842AE519A7350C3B5A545CFA9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 075DD410 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 075DD486
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2145026994.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_75d0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 703ee343a3d69736d96c97e30d32e24b7c8bc89fb151a1daf33c2636baededa6
                                                • Instruction ID: c557d50342988b5b46cf4c35ac343f208805f2425227e76d83e20035f25a5288
                                                • Opcode Fuzzy Hash: 703ee343a3d69736d96c97e30d32e24b7c8bc89fb151a1daf33c2636baededa6
                                                • Instruction Fuzzy Hash: 11114A769003099FDB10CF99C5457DEBBF5AF48320F10841AD519A7250C775A910CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 075DD418 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 075DD486
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2145026994.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_75d0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 8dc57eba3116d278d822658da6f4743de429652ff3555d32af1696f7b92e8fc0
                                                • Instruction ID: 884a25c74cfb4fcdfa04f41c2cb91d680d81584b023b0d5651771e7706d414da
                                                • Opcode Fuzzy Hash: 8dc57eba3116d278d822658da6f4743de429652ff3555d32af1696f7b92e8fc0
                                                • Instruction Fuzzy Hash: 1A1126769003499FDB20DFAAC845BDEBBF5AF88320F14841AE519A7250C7B5A950CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0140B5D9 Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0140B439,00000800,00000000,00000000), ref: 0140B64A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2140763858.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1400000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 8547465c9628bdf63994780fe408669e2bdf2bdeef26c9b6deb7769786342adc
                                                • Instruction ID: 395e5599c27281ed2c3dc9f407cc2948760e071bf2405beede763135f58cb884
                                                • Opcode Fuzzy Hash: 8547465c9628bdf63994780fe408669e2bdf2bdeef26c9b6deb7769786342adc
                                                • Instruction Fuzzy Hash: 411112BAC003098FDB11CF9AC944B9EFBF4EF48320F10882AD519A7250C379A545CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 075DCA1A Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2145026994.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_75d0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: cf6a2cc1d8dd9135bdbf8c90493137aeb85a7c83e2194f0ce09df1804236d98e
                                                • Instruction ID: 265583a329d4f6f41dd140876d3b6e9e6ee22cbf566e2d1d229359c7661c613d
                                                • Opcode Fuzzy Hash: cf6a2cc1d8dd9135bdbf8c90493137aeb85a7c83e2194f0ce09df1804236d98e
                                                • Instruction Fuzzy Hash: 50112BB1D0034A8FDB20DFAAC4857EEFBF4AF88714F148819D519A7240CB796940CF95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 075DCA20 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2145026994.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_75d0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: fe9d91ff7f41d90259d69c05dfd3393e52405bce32fb240426ef9f9c8af0abd7
                                                • Instruction ID: d2531749ea0f573556160ab364665855c71f3dbaff3afd04190feae2a71381aa
                                                • Opcode Fuzzy Hash: fe9d91ff7f41d90259d69c05dfd3393e52405bce32fb240426ef9f9c8af0abd7
                                                • Instruction Fuzzy Hash: 83113AB1D003498FDB20DFAAC4457DEFBF4AF88724F248819D519A7240CB79A940CBA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0140B358 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0140B3BE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2140763858.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1400000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: a9402b67fa11e8201935c10d7f9c03fde3c7e33587a22fa92cb2cdf6b40c7ec8
                                                • Instruction ID: fe909c95124e726b6f49b8dc4aac0946c66bc3a0257d064cc7d91e3dc43f25dc
                                                • Opcode Fuzzy Hash: a9402b67fa11e8201935c10d7f9c03fde3c7e33587a22fa92cb2cdf6b40c7ec8
                                                • Instruction Fuzzy Hash: 0A1102B5C002498FDB14CF9AD444A9EFBF4EF88224F20842AD919A7750C3B9A545CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 056022DA Relevance: 1.5, APIs: 1, Instructions: 46timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2144114609.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5600000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID: Timer
                                                • String ID:
                                                • API String ID: 2870079774-0
                                                • Opcode ID: cf18532d303f04ff443367e9cd34a24f43235d6e258e85d863cd44ee3383254a
                                                • Instruction ID: 771b2012679304359cdf4c861dc304a5005a2c108571d2e513e7a5f930a00329
                                                • Opcode Fuzzy Hash: cf18532d303f04ff443367e9cd34a24f43235d6e258e85d863cd44ee3383254a
                                                • Instruction Fuzzy Hash: 1711F5B58003499FDB10CF9AC545BDEBBF8FB48324F208419D518A3740C3B9A544CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 056022E0 Relevance: 1.5, APIs: 1, Instructions: 44timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2144114609.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5600000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID: Timer
                                                • String ID:
                                                • API String ID: 2870079774-0
                                                • Opcode ID: b6de16ea5531b937c34a0592ab4618ec1aab260662f7870be58730b6c52841fd
                                                • Instruction ID: 6c4653768d5df81b4de7eb70af85110e8a885c7037013d0961e708d5b2c975d0
                                                • Opcode Fuzzy Hash: b6de16ea5531b937c34a0592ab4618ec1aab260662f7870be58730b6c52841fd
                                                • Instruction Fuzzy Hash: 3A1103B58003499FDB10CF9AC444BDEBBF8FB48324F108419D518A3640C3B9A944CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0122D4C4 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2140396712.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_122d000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 377ae867648fbeebefc979d4a02f2c2968e2273fb5c36699153c2d279818ca06
                                                • Instruction ID: 2a1c0c5e919f4995a4e5c92dc3df04fdc3aaf27212b2f08608120e57dac28f44
                                                • Opcode Fuzzy Hash: 377ae867648fbeebefc979d4a02f2c2968e2273fb5c36699153c2d279818ca06
                                                • Instruction Fuzzy Hash: 8F214572514248EFDB15DF54E9C0B2ABF61FB88318F20C56DEA090B256C3B6D466CAA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0122D3D8 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2140396712.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_122d000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f94bcf9c2039dcfc4f095477c59f04b01f62a6009f99fb4d533b6909a48f1cb9
                                                • Instruction ID: 904b3fbc39a6d4cc400e1619eb030b334d6f48f755a3d2406ad0f25a307700d5
                                                • Opcode Fuzzy Hash: f94bcf9c2039dcfc4f095477c59f04b01f62a6009f99fb4d533b6909a48f1cb9
                                                • Instruction Fuzzy Hash: 64216A76514248FFDB05DF44D9C0B6ABF65FB84324F20C16DDA090B256C376E456CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0123D1D4 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2140422511.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_123d000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 475f098f09848b3dda257c91ec9491df7eb815ca582310014b211b4499c3590a
                                                • Instruction ID: 4ace7875a41dafe4654625e92cefd4eaed4c5b5b0d1f5a30005b4fdc1d7709c9
                                                • Opcode Fuzzy Hash: 475f098f09848b3dda257c91ec9491df7eb815ca582310014b211b4499c3590a
                                                • Instruction Fuzzy Hash: 852146B5524308EFDB05DFA4D9C0B26BBA1FBC4324F60C56DEA094B253C7B6D806CA61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0123D01C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2140422511.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_123d000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 275b39508224338c2dd5448ce2abca3cd09705ad0d273cabe3bdc9554f8c7056
                                                • Instruction ID: 0676a2944afcee50e28b0ef1330cdc1c50949d4ff99ff182392b54bd43a7f48e
                                                • Opcode Fuzzy Hash: 275b39508224338c2dd5448ce2abca3cd09705ad0d273cabe3bdc9554f8c7056
                                                • Instruction Fuzzy Hash: AF2100B5614208EFDB15DF64D9C0B26FB65FBC4B14F60C56DEA0A0B252C37AD406CA61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0123D006 Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2140422511.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_123d000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 34c40129239b1eec6c538523bd260f635dc5cdf50ad38c97af9ead7eec923fcb
                                                • Instruction ID: 008cd58790c8ea77b34eb99b761a68d9cf0855ac441347aed7f5ebf1a9961038
                                                • Opcode Fuzzy Hash: 34c40129239b1eec6c538523bd260f635dc5cdf50ad38c97af9ead7eec923fcb
                                                • Instruction Fuzzy Hash: 6E2183B55083849FCB02CF64D994711BF71EB86714F28C5DAD9498F2A7C33AD816CB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0122D4BF Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2140396712.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_122d000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                • Instruction ID: c5b352093cc2b694c49d1083d24cb4655b0f2662d7b4fae2c854c07ade747183
                                                • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                • Instruction Fuzzy Hash: 5D112676404284DFCB12CF54D5C0B1ABF71FB84318F24C6A9D9090B257C33AD46ACBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0122D3D3 Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2140396712.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_122d000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                • Instruction ID: 6c636c6c2b543a0c473cdbb1fe4386e5c816a3bf3cb3f85652d5a30fdf24f54b
                                                • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                • Instruction Fuzzy Hash: 591126B6404284DFDB12CF44D9C0B5ABF71FB84324F24C2A9D9090B257C33AE456CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0123D1CF Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2140422511.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_123d000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                • Instruction ID: ef0b0710c4b9d1f458077b4a0978c0046f43850010b3139428eb6636429af867
                                                • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                • Instruction Fuzzy Hash: 7E11BBB5504284DFDB02CF54C5C0B15BBA1FB84224F24C6A9D9494B2A7C33AD40ACB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0122D745 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2140396712.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_122d000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 893ba1d86fc5cab081486ffe09318c3f78d6968f2d3cdd1839424404cadf68a3
                                                • Instruction ID: 5aa02c2f31afcbf45600a58da012f96ea466102b781106b2dd2cc4ba7ce92793
                                                • Opcode Fuzzy Hash: 893ba1d86fc5cab081486ffe09318c3f78d6968f2d3cdd1839424404cadf68a3
                                                • Instruction Fuzzy Hash: 3C012B71414398AAF7244EA9CDC4B6ABF98DF41324F08C51AEF084A282D6BD9840C6B1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0122D744 Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2140396712.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_122d000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 19b7ab3d4c5b7385ead65a3c2730b43f316ecd4d9f18a7b28a97aaa7d0ae1b6f
                                                • Instruction ID: 616fe2dae59b34f55791a1847b8f0b92dd7d5c39b9851554e8b0c6a2779241ee
                                                • Opcode Fuzzy Hash: 19b7ab3d4c5b7385ead65a3c2730b43f316ecd4d9f18a7b28a97aaa7d0ae1b6f
                                                • Instruction Fuzzy Hash: 90F0C271404394AEE7158E19CCC4B66FF98EB81734F18C45AEE080A286C27D9840CBB1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 056095D8 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2144114609.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5600000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0
                                                • API String ID: 0-4108050209
                                                • Opcode ID: 3f8dc33512c6ce5fcd7750cfc7b4fc7311477e2f340d1130e0c675c6a9c19e42
                                                • Instruction ID: 50802d533840c08790342fb7f64f5d37a376aed88ecc2939c93d3131ac6ae8bd
                                                • Opcode Fuzzy Hash: 3f8dc33512c6ce5fcd7750cfc7b4fc7311477e2f340d1130e0c675c6a9c19e42
                                                • Instruction Fuzzy Hash: BB21A6B1E146189BEB18CFABD84079EFBF7AFC8300F14C16AD519A6254EB344A45CF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 056095C8 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2144114609.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5600000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0
                                                • API String ID: 0-4108050209
                                                • Opcode ID: d5201fe24988f8a381e97ce50a094a88ba3259c20104066d2b889ff45025f5ec
                                                • Instruction ID: 8825a2b0ca92786f2c129fed5a927e8e825c15eaf8e497bd4eef6493536846dd
                                                • Opcode Fuzzy Hash: d5201fe24988f8a381e97ce50a094a88ba3259c20104066d2b889ff45025f5ec
                                                • Instruction Fuzzy Hash: 3821A6B1E146189BEB18CFABD85079EFBF3AFC8300F14C0AAD519A6254EB344A45CF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FD0518 Relevance: .3, Instructions: 315COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2141125152.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2fd0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 80d527d172500733f66266e8600fc5e92b0486738aecbdc6855b60a152d68072
                                                • Instruction ID: d7f6c54eb8db07fd8c86cb8d2b294ea6d65777c4d7fc781edc68e56d6f168936
                                                • Opcode Fuzzy Hash: 80d527d172500733f66266e8600fc5e92b0486738aecbdc6855b60a152d68072
                                                • Instruction Fuzzy Hash: 751262B04257458AE730CF66E94C1D97AB1BB85328BD08709D2616F2F9EBB815CBCF44
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 075DA6C8 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2145026994.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_75d0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6d0e4ebfcc98828a8e639626058df4e1832fe56788250789d43a79e581db5ec3
                                                • Instruction ID: aaff0c0cf228566b4628ae5a9c968e3515653085dba9d9e8dce7d476bdf7ea56
                                                • Opcode Fuzzy Hash: 6d0e4ebfcc98828a8e639626058df4e1832fe56788250789d43a79e581db5ec3
                                                • Instruction Fuzzy Hash: BBE1EAB4E002598FDB14DFA9C590AAEBBB2FF89304F24C65AD414A7355D730AD82CF60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 075DAF38 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2145026994.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_75d0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a8be9714dd47ba972632c5791920e49715117adff41085c6341a9101dc263678
                                                • Instruction ID: 70e204a17d11e3b35912979e7e9674ed2b9253ec6c08203fb7f5447d0a63a49f
                                                • Opcode Fuzzy Hash: a8be9714dd47ba972632c5791920e49715117adff41085c6341a9101dc263678
                                                • Instruction Fuzzy Hash: A7E1E9B4E002598FDB14DFA9C580AAEFBB2FF89304F24865AD414A7355D771AD42CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 075DCFE0 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2145026994.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_75d0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 94686f69de0b29afee749e1b5a054922021ab024c8ae5be3719e7de324bf05e3
                                                • Instruction ID: 509274d49f02eedba7c0a8712d34708d7e3f281bd74eee56984e61da7348eddc
                                                • Opcode Fuzzy Hash: 94686f69de0b29afee749e1b5a054922021ab024c8ae5be3719e7de324bf05e3
                                                • Instruction Fuzzy Hash: 15E1EBB4E002598FDB14DFA9C590AAEFBB2FF89304F24826AD414A7355D771AD42CF60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 075DAB00 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2145026994.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_75d0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9a2425bdb8cd6e964050012886e7739b179f900807903d00ac8d3358ec630474
                                                • Instruction ID: 87ab507cb77d748b2b098663b6531ddca7f862bd5687f0d0f3176d5f136e0eb0
                                                • Opcode Fuzzy Hash: 9a2425bdb8cd6e964050012886e7739b179f900807903d00ac8d3358ec630474
                                                • Instruction Fuzzy Hash: 93E1EAB4E002598FDB14DFA9C590AAEBBB2FF89314F24C66AD414A7355D730AD42CF60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 075DCAD0 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2145026994.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_75d0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9e90a69edb810a5be36773fd3e28fb3b05b84bd71ea06cfc695ed727459a1430
                                                • Instruction ID: f3caad84ac491cb98c0e696d7cd37c796bf4e7e9ae5c9a222c1a375832fe863e
                                                • Opcode Fuzzy Hash: 9e90a69edb810a5be36773fd3e28fb3b05b84bd71ea06cfc695ed727459a1430
                                                • Instruction Fuzzy Hash: CAE10CB4E002598FDB14DFA9C590AAEFBB2FF89304F24825AD514AB355D730AD42CF60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 075D1EB0 Relevance: .3, Instructions: 266COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2145026994.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_75d0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 86c59369e3d00194f2d51a35a7d9700425d9f52ee36ec11e4ead60e2e2e5f763
                                                • Instruction ID: 122251e508883334917ef7d28e001bfe007b0079568c0879cc9ad3bf21df2954
                                                • Opcode Fuzzy Hash: 86c59369e3d00194f2d51a35a7d9700425d9f52ee36ec11e4ead60e2e2e5f763
                                                • Instruction Fuzzy Hash: 24D1E83182075ACACB10EBA4D9906ADB7B1FF99300F10879AD5497B610EF746EC9CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0140D7CC Relevance: .3, Instructions: 264COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2140763858.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1400000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 132e6855d28dedc216cafc6cf7a21d09c7a358fe2947ecc03182e6409947a4c0
                                                • Instruction ID: 9e87622be15df040f9e6b563e4f35640ae7f15af0c65a2f1c284a7c313442131
                                                • Opcode Fuzzy Hash: 132e6855d28dedc216cafc6cf7a21d09c7a358fe2947ecc03182e6409947a4c0
                                                • Instruction Fuzzy Hash: A0A17E32E002168FCF26DFA6C44059EBBB2FF95300B15457AE905AB2A5DB31E95ACF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 075D1EC0 Relevance: .3, Instructions: 264COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2145026994.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_75d0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 442ff61aeac15133fa008bc35c113a3837e0aa237ddc43a87b6de3a6af1bdba2
                                                • Instruction ID: c08bb56ea248dc23e87660c1226ec679860a42b6fe761a021b1cd3964f580fca
                                                • Opcode Fuzzy Hash: 442ff61aeac15133fa008bc35c113a3837e0aa237ddc43a87b6de3a6af1bdba2
                                                • Instruction Fuzzy Hash: D8D1D93182075ACACB10EBA4D9906ADB7B1FF99300F10C79AD54977610EF746EC9CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FD0508 Relevance: .2, Instructions: 221COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2141125152.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2fd0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 958a4af4994ad1ac6551b443ff2c508262908cc298be706bca5ae4baddcd2eaf
                                                • Instruction ID: 19ce5543de5fa7b4f577b314b49d82d108600567e244b5f3d8eb8f0caad51b29
                                                • Opcode Fuzzy Hash: 958a4af4994ad1ac6551b443ff2c508262908cc298be706bca5ae4baddcd2eaf
                                                • Instruction Fuzzy Hash: 68C1B3B08217458AE734CF66E8481D97BB1BB85324F918709D2616F2F9EBB425CBCF44
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0560D128 Relevance: .2, Instructions: 184COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2144114609.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5600000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4d90994c706fdbb8e71f5d9a29e542e5e835a054d9574566301a0c94d96f8578
                                                • Instruction ID: 079697b2a4d315c6508c5fd5b872d46f14c56c09b6d7c73222a220a84f150235
                                                • Opcode Fuzzy Hash: 4d90994c706fdbb8e71f5d9a29e542e5e835a054d9574566301a0c94d96f8578
                                                • Instruction Fuzzy Hash: 2E81D074E10219DFCB48CFA9C9849AEFBF2FF89250F14956AD415AB360D730AA42CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0560D118 Relevance: .2, Instructions: 181COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2144114609.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5600000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f6870ff078aa3c515219abaf1f57b1ef4be6ab8143b97c8b6de08cd2d293df9b
                                                • Instruction ID: 4f69a9c82f9a9e83e4c78e26f7e7e4c727d6dd2e008c5bafc16f3c0ef71c5f98
                                                • Opcode Fuzzy Hash: f6870ff078aa3c515219abaf1f57b1ef4be6ab8143b97c8b6de08cd2d293df9b
                                                • Instruction Fuzzy Hash: E781C174E10219DFCB48CFA9C9849AEFBF2FF89250F14956AD415AB360D730AA42CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0560AE38 Relevance: .2, Instructions: 171COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2144114609.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5600000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c107e9943605e2b71232880ceb8069ab553955c4b61648f3f99d4ef681a4fb41
                                                • Instruction ID: 53e694b4ecac814ffd94808f09b70297dfb897009c23954bd5dbb141ce63179d
                                                • Opcode Fuzzy Hash: c107e9943605e2b71232880ceb8069ab553955c4b61648f3f99d4ef681a4fb41
                                                • Instruction Fuzzy Hash: CB7126B4E05209DFCB08CFD9D4809AEFBB2FB88350F10952AE415AB394D7749A42DF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0560AE29 Relevance: .2, Instructions: 169COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2144114609.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5600000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a20684ae86b9f73ed618529a6691aa8047d35db19375b9efc25a30b2306c2a98
                                                • Instruction ID: e97ffac7763d5a67b24d41288b573aca7d2f33d2e5f1f1286a19c1ab3c4355d3
                                                • Opcode Fuzzy Hash: a20684ae86b9f73ed618529a6691aa8047d35db19375b9efc25a30b2306c2a98
                                                • Instruction Fuzzy Hash: 396117B4E0420ADFCB08CFD9D481AAEFBB2FB88350F149526E915A7354D7349A42DF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0560E58A Relevance: .2, Instructions: 156COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2144114609.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5600000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 84849fd84d887b16365e85a0debef4764f55a5875b3704a82bbe04128a2820c5
                                                • Instruction ID: d206e8f243b51d49e116c2f51ef93575a7846b7b5289c0894c1988c899803c02
                                                • Opcode Fuzzy Hash: 84849fd84d887b16365e85a0debef4764f55a5875b3704a82bbe04128a2820c5
                                                • Instruction Fuzzy Hash: 93612470A2961DDBDB49CF90E18611ABFB9FBC8310F10BCA6D08193194EF728A69D744
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0560DFE0 Relevance: .2, Instructions: 153COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2144114609.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5600000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c5f3a833bf5576e352086cd1801db9afeccb7267fe5b972fc2115d5d8afa3e27
                                                • Instruction ID: e72d67e6484edee858f41c78e8686409552bcca75a51d77a53cf8361f792be39
                                                • Opcode Fuzzy Hash: c5f3a833bf5576e352086cd1801db9afeccb7267fe5b972fc2115d5d8afa3e27
                                                • Instruction Fuzzy Hash: 9C614774E0421ADFCB08CFA9C4815EFFBB6BF49300F14A95AC425A7240D375AA52CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0560DFD2 Relevance: .2, Instructions: 150COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2144114609.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5600000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 753f03cc12f0fe7b1440734ec33e16f0feb4ac7346cbc78fd49831078979678c
                                                • Instruction ID: 3e404d9accddd14d0c55bc57517cd919d82ef7a08d28765bf047aedbe9c597e3
                                                • Opcode Fuzzy Hash: 753f03cc12f0fe7b1440734ec33e16f0feb4ac7346cbc78fd49831078979678c
                                                • Instruction Fuzzy Hash: 88513A75E04219DBCB08CFA9C4815AFFBF6FF94300F14992AD415A7240D775AA52CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 075DAAF0 Relevance: .1, Instructions: 133COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2145026994.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_75d0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4159484a86dd3021f4833646acbb617eb8772d4c1cd6dc513cc61f7a67ffbd6d
                                                • Instruction ID: 534511452f9dc0e48e1afda055639b30e634b8b0f9022a57fde6c8dab66dea86
                                                • Opcode Fuzzy Hash: 4159484a86dd3021f4833646acbb617eb8772d4c1cd6dc513cc61f7a67ffbd6d
                                                • Instruction Fuzzy Hash: 1E51D6B4E002598BDB14DFA9C5805AEBBB2FF89210F24C56AD418A7356D7349D42CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 075DAF28 Relevance: .1, Instructions: 131COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2145026994.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_75d0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a222dc9b2da432091c041b4eb7f9ff5bbd8c44b4135522aec84a2072b5f1b584
                                                • Instruction ID: 6ce167ba9097dd1b891f2e94706260f0627c31ad3aafe671da9eb61e05178d21
                                                • Opcode Fuzzy Hash: a222dc9b2da432091c041b4eb7f9ff5bbd8c44b4135522aec84a2072b5f1b584
                                                • Instruction Fuzzy Hash: B151FAB4E002598FDB14CFA9C5849AEFBF2FF89204F24866AD418A7355D7319D42CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0560E341 Relevance: .1, Instructions: 102COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2144114609.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5600000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5beb91766cadbffd7d403acddd9c3eb78ea8e7006c0bd28d1c24c26fa2a28c9d
                                                • Instruction ID: b09f5d5b3c4a33b9f4e0720e9ef291f6e9b83013dc671cfc904551dc97092144
                                                • Opcode Fuzzy Hash: 5beb91766cadbffd7d403acddd9c3eb78ea8e7006c0bd28d1c24c26fa2a28c9d
                                                • Instruction Fuzzy Hash: A841F7B1E0461ADBDB48CFAAD4816AEFBF2BF88200F14D52AD415F7240D7349A41CF94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0560E350 Relevance: .1, Instructions: 101COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2144114609.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5600000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ee80a56bb5300cf68a4ac3d8ee0db32e3d790c20b94a68e87a3c5c96c51154dd
                                                • Instruction ID: 7a3c224080feeb24634059a83bce14f58549e3a360e476aa282109faa681c8c7
                                                • Opcode Fuzzy Hash: ee80a56bb5300cf68a4ac3d8ee0db32e3d790c20b94a68e87a3c5c96c51154dd
                                                • Instruction Fuzzy Hash: 8841E3B0E0421ADBDB48CFAAD4816AEFBF6BF88200F14E56AC415F7250D7359A41CF94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Execution Graph

                                                Execution Coverage:11.2%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:17
                                                Total number of Limit Nodes:4
                                                execution_graph 27014 26f0848 27016 26f084e 27014->27016 27015 26f091b 27016->27015 27018 26f1380 27016->27018 27020 26f1396 27018->27020 27019 26f1484 27019->27016 27020->27019 27022 26f7090 27020->27022 27023 26f709a 27022->27023 27024 26f70b4 27023->27024 27027 5dbd340 27023->27027 27031 5dbd330 27023->27031 27024->27020 27029 5dbd355 27027->27029 27028 5dbd56a 27028->27024 27029->27028 27030 5dbd580 GlobalMemoryStatusEx 27029->27030 27030->27029 27033 5dbd33a 27031->27033 27032 5dbd56a 27032->27024 27033->27032 27034 5dbd580 GlobalMemoryStatusEx 27033->27034 27034->27033

                                                Executed Functions

                                                Function 026F9DDD Relevance: 3.0, Instructions: 2988COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1bbf695275806cc3bbe32cc8dcb8c445a7888f9e7a56262dd3de09eff6ad0f87
                                                • Instruction ID: 2bf854df6a23f931b7143baa8d6e57ee11ab44c09d303b8aa997034d8d52384f
                                                • Opcode Fuzzy Hash: 1bbf695275806cc3bbe32cc8dcb8c445a7888f9e7a56262dd3de09eff6ad0f87
                                                • Instruction Fuzzy Hash: 01630C31D10B5A8ACB51EF68C880699F7B1FF99300F15D79AE45877225FB70AAC4CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026FCDC0 Relevance: 2.3, Instructions: 2307COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4c88d371bee8b39920e6eec16c14e238afc4938c2fb8f209b6c46566314086de
                                                • Instruction ID: 87c767d73a8c1de59ba60f440c771b0141ae0141e7cbd3e71e63102624f1e925
                                                • Opcode Fuzzy Hash: 4c88d371bee8b39920e6eec16c14e238afc4938c2fb8f209b6c46566314086de
                                                • Instruction Fuzzy Hash: 5E332D31D107198EDB11EF68C8806ADF7B1FF99300F15D79AE548A7261EB70AAC5CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F9378 Relevance: .6, Instructions: 619COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4f6a14ae5af056bc7b9d0b1648c193ae03d728eecb57bdb46f69d40e3f27f850
                                                • Instruction ID: 0fc80f28ed97f06aeb285b2bfbbd96419497f0458d9aa92be93f86ffd8c9190c
                                                • Opcode Fuzzy Hash: 4f6a14ae5af056bc7b9d0b1648c193ae03d728eecb57bdb46f69d40e3f27f850
                                                • Instruction Fuzzy Hash: FC325935A012058FDF94DF68D484BADBBB2FB88314F248569EA09EB395DB71DC41CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F4A98 Relevance: .3, Instructions: 266COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 3679 26f4a98-26f4afe 3681 26f4b48-26f4b4a 3679->3681 3682 26f4b00-26f4b0b 3679->3682 3684 26f4b4c-26f4b65 3681->3684 3682->3681 3683 26f4b0d-26f4b19 3682->3683 3685 26f4b3c-26f4b46 3683->3685 3686 26f4b1b-26f4b25 3683->3686 3690 26f4b67-26f4b73 3684->3690 3691 26f4bb1-26f4bb3 3684->3691 3685->3684 3688 26f4b29-26f4b38 3686->3688 3689 26f4b27 3686->3689 3688->3688 3692 26f4b3a 3688->3692 3689->3688 3690->3691 3694 26f4b75-26f4b81 3690->3694 3693 26f4bb5-26f4bcd 3691->3693 3692->3685 3701 26f4bcf-26f4bda 3693->3701 3702 26f4c17-26f4c19 3693->3702 3695 26f4ba4-26f4baf 3694->3695 3696 26f4b83-26f4b8d 3694->3696 3695->3693 3697 26f4b8f 3696->3697 3698 26f4b91-26f4ba0 3696->3698 3697->3698 3698->3698 3700 26f4ba2 3698->3700 3700->3695 3701->3702 3704 26f4bdc-26f4be8 3701->3704 3703 26f4c1b-26f4c33 3702->3703 3711 26f4c7d-26f4c7f 3703->3711 3712 26f4c35-26f4c40 3703->3712 3705 26f4c0b-26f4c15 3704->3705 3706 26f4bea-26f4bf4 3704->3706 3705->3703 3708 26f4bf8-26f4c07 3706->3708 3709 26f4bf6 3706->3709 3708->3708 3710 26f4c09 3708->3710 3709->3708 3710->3705 3713 26f4c81-26f4cf4 3711->3713 3712->3711 3714 26f4c42-26f4c4e 3712->3714 3723 26f4cfa-26f4d08 3713->3723 3715 26f4c71-26f4c7b 3714->3715 3716 26f4c50-26f4c5a 3714->3716 3715->3713 3717 26f4c5e-26f4c6d 3716->3717 3718 26f4c5c 3716->3718 3717->3717 3720 26f4c6f 3717->3720 3718->3717 3720->3715 3724 26f4d0a-26f4d10 3723->3724 3725 26f4d11-26f4d71 3723->3725 3724->3725 3732 26f4d73-26f4d77 3725->3732 3733 26f4d81-26f4d85 3725->3733 3732->3733 3734 26f4d79 3732->3734 3735 26f4d87-26f4d8b 3733->3735 3736 26f4d95-26f4d99 3733->3736 3734->3733 3735->3736 3737 26f4d8d 3735->3737 3738 26f4d9b-26f4d9f 3736->3738 3739 26f4da9-26f4dad 3736->3739 3737->3736 3738->3739 3740 26f4da1 3738->3740 3741 26f4daf-26f4db3 3739->3741 3742 26f4dbd-26f4dc1 3739->3742 3740->3739 3741->3742 3743 26f4db5 3741->3743 3744 26f4dc3-26f4dc7 3742->3744 3745 26f4dd1-26f4dd5 3742->3745 3743->3742 3744->3745 3746 26f4dc9-26f4dcc call 26f0ab8 3744->3746 3747 26f4dd7-26f4ddb 3745->3747 3748 26f4de5 3745->3748 3746->3745 3747->3748 3750 26f4ddd-26f4de0 call 26f0ab8 3747->3750 3752 26f4de6 3748->3752 3750->3748 3752->3752
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: df05e273af20f6609e317d03112c91cbfbc36a9437d62e48c8b603745c618034
                                                • Instruction ID: b9c112f70289b8f75039791d16db34521ad42cb745ae1d362b3b276b0e2d3de5
                                                • Opcode Fuzzy Hash: df05e273af20f6609e317d03112c91cbfbc36a9437d62e48c8b603745c618034
                                                • Instruction Fuzzy Hash: 8FB15B71E00209CFDF54CFA9C8917AEBBF2AF88714F149129DA15E7794EB749841CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F3E80 Relevance: .2, Instructions: 238COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 06e07cb89d9ed13c5bfedb88963b8904dc05a87b08bc8a5f1868e4ec9a6283cd
                                                • Instruction ID: d5284162b35f7f64699e747d46436e9213e3adef95b18a64e8a28e3d795d7bab
                                                • Opcode Fuzzy Hash: 06e07cb89d9ed13c5bfedb88963b8904dc05a87b08bc8a5f1868e4ec9a6283cd
                                                • Instruction Fuzzy Hash: A3916A70E00249CFDF54CFA9C9857AEBBF2AF88714F148129E605A7794EB749846CF81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05DBE140 Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 937 5dbe140-5dbe15b 938 5dbe15d-5dbe184 call 5dbd300 937->938 939 5dbe185-5dbe1a4 call 5dbd30c 937->939 945 5dbe1aa-5dbe1fa 939->945 946 5dbe1a6-5dbe1a9 939->946 951 5dbe1fc-5dbe209 945->951 952 5dbe214-5dbe29c GlobalMemoryStatusEx 945->952 955 5dbe20b-5dbe20e 951->955 956 5dbe20f 951->956 957 5dbe29e-5dbe2a4 952->957 958 5dbe2a5-5dbe2cd 952->958 956->952 957->958
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3316821718.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_5db0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 16e01b0f4de00f46e2a538a58a8078aa90e10cedb7c36f0c4039b063d41c6e54
                                                • Instruction ID: 7ac183fdbcee8bc04e62230f7807440a16f6d7afb3bd68922d49387520d95878
                                                • Opcode Fuzzy Hash: 16e01b0f4de00f46e2a538a58a8078aa90e10cedb7c36f0c4039b063d41c6e54
                                                • Instruction Fuzzy Hash: 7A413672D183958FDB04CFA9C8043DEBFB5FF89210F1486ABD405A7641EB789845CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05DBE228 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 961 5dbe228-5dbe266 962 5dbe26e-5dbe29c GlobalMemoryStatusEx 961->962 963 5dbe29e-5dbe2a4 962->963 964 5dbe2a5-5dbe2cd 962->964 963->964
                                                APIs
                                                • GlobalMemoryStatusEx.KERNELBASE ref: 05DBE28F
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3316821718.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_5db0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID: GlobalMemoryStatus
                                                • String ID:
                                                • API String ID: 1890195054-0
                                                • Opcode ID: c6ceed4de33ade78080699733eb3135ed17d86acd20f1aca703d5bbc06d16f40
                                                • Instruction ID: 24848bc86c370a80f3d18f130342a9aeceb55e527d374ed6ffa3745508d50a80
                                                • Opcode Fuzzy Hash: c6ceed4de33ade78080699733eb3135ed17d86acd20f1aca703d5bbc06d16f40
                                                • Instruction Fuzzy Hash: 791100B1C0065A9BDB10CF9AC445BDEFBB4AF48620F10816AE918A7240D3B8A950CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F7908 Relevance: .6, Instructions: 557COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2862 26f7908-26f791f 2863 26f7921-26f7924 2862->2863 2864 26f7926-26f794c 2863->2864 2865 26f7951-26f7954 2863->2865 2864->2865 2866 26f7956-26f797c 2865->2866 2867 26f7981-26f7984 2865->2867 2866->2867 2868 26f7986-26f79ac 2867->2868 2869 26f79b1-26f79b4 2867->2869 2868->2869 2871 26f79b6-26f79dc 2869->2871 2872 26f79e1-26f79e4 2869->2872 2871->2872 2874 26f79e6-26f7a0c 2872->2874 2875 26f7a11-26f7a14 2872->2875 2874->2875 2878 26f7a16-26f7a3c 2875->2878 2879 26f7a41-26f7a44 2875->2879 2878->2879 2883 26f7a46-26f7a6c 2879->2883 2884 26f7a71-26f7a74 2879->2884 2883->2884 2887 26f7a76-26f7a9c 2884->2887 2888 26f7aa1-26f7aa4 2884->2888 2887->2888 2893 26f7aa6-26f7acc 2888->2893 2894 26f7ad1-26f7ad4 2888->2894 2893->2894 2897 26f7ad6 2894->2897 2898 26f7ae1-26f7ae4 2894->2898 2907 26f7adc 2897->2907 2903 26f7ae6-26f7b0c 2898->2903 2904 26f7b11-26f7b14 2898->2904 2903->2904 2910 26f7b16-26f7b3c 2904->2910 2911 26f7b41-26f7b44 2904->2911 2907->2898 2910->2911 2913 26f7b46-26f7b6c 2911->2913 2914 26f7b71-26f7b74 2911->2914 2913->2914 2919 26f7b76-26f7b9c 2914->2919 2920 26f7ba1-26f7ba4 2914->2920 2919->2920 2922 26f7ba6-26f7bcc 2920->2922 2923 26f7bd1-26f7bd4 2920->2923 2922->2923 2928 26f7bd6-26f7bec 2923->2928 2929 26f7bf1-26f7bf4 2923->2929 2928->2929 2930 26f7bf6-26f7c1c 2929->2930 2931 26f7c21-26f7c24 2929->2931 2930->2931 2938 26f7c26-26f7c4c 2931->2938 2939 26f7c51-26f7c54 2931->2939 2938->2939 2940 26f7c56-26f7c7c 2939->2940 2941 26f7c81-26f7c84 2939->2941 2940->2941 2947 26f7c86-26f7cac 2941->2947 2948 26f7cb1-26f7cb4 2941->2948 2947->2948 2950 26f7cb6-26f7cdc 2948->2950 2951 26f7ce1-26f7ce4 2948->2951 2950->2951 2956 26f7ce6-26f7d0c 2951->2956 2957 26f7d11-26f7d14 2951->2957 2956->2957 2959 26f7d16-26f7d3c 2957->2959 2960 26f7d41-26f7d44 2957->2960 2959->2960 2966 26f7d46-26f7d6c 2960->2966 2967 26f7d71-26f7d74 2960->2967 2966->2967 2969 26f7d76-26f7d9c 2967->2969 2970 26f7da1-26f7da4 2967->2970 2969->2970 2976 26f7da6-26f7dcc 2970->2976 2977 26f7dd1-26f7dd4 2970->2977 2976->2977 2979 26f7dd6-26f7dfc 2977->2979 2980 26f7e01-26f7e04 2977->2980 2979->2980 2986 26f7e06-26f7e2c 2980->2986 2987 26f7e31-26f7e34 2980->2987 2986->2987 2989 26f7e36-26f7e5c 2987->2989 2990 26f7e61-26f7e64 2987->2990 2989->2990 2996 26f7e66-26f7e8c 2990->2996 2997 26f7e91-26f7e94 2990->2997 2996->2997 2999 26f7e96-26f7ebc 2997->2999 3000 26f7ec1-26f7ec4 2997->3000 2999->3000 3006 26f7edf-26f7ee2 3000->3006 3007 26f7ec6-26f7eda 3000->3007 3009 26f7f0f-26f7f12 3006->3009 3010 26f7ee4-26f7f0a 3006->3010 3007->3006 3016 26f7f3f-26f7f42 3009->3016 3017 26f7f14-26f7f3a 3009->3017 3010->3009 3019 26f7f6f-26f7f72 3016->3019 3020 26f7f44-26f7f6a 3016->3020 3017->3016 3026 26f7f74-26f7f76 3019->3026 3027 26f7f83-26f7f86 3019->3027 3020->3019 3076 26f7f78 call 26f9203 3026->3076 3077 26f7f78 call 26f9160 3026->3077 3078 26f7f78 call 26f9150 3026->3078 3032 26f7f88-26f7fae 3027->3032 3033 26f7fb3-26f7fb6 3027->3033 3032->3033 3034 26f7fb8-26f7fde 3033->3034 3035 26f7fe3-26f7fe6 3033->3035 3034->3035 3041 26f7fe8-26f800e 3035->3041 3042 26f8013-26f8016 3035->3042 3036 26f7f7e 3036->3027 3041->3042 3044 26f8018-26f803e 3042->3044 3045 26f8043-26f8046 3042->3045 3044->3045 3050 26f8048-26f806e 3045->3050 3051 26f8073-26f8076 3045->3051 3050->3051 3052 26f8078-26f809e 3051->3052 3053 26f80a3-26f80a6 3051->3053 3052->3053 3059 26f80a8-26f80ce 3053->3059 3060 26f80d3-26f80d5 3053->3060 3059->3060 3061 26f80dc-26f80df 3060->3061 3062 26f80d7 3060->3062 3061->2863 3069 26f80e5-26f80eb 3061->3069 3062->3061 3076->3036 3077->3036 3078->3036
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1f6d7d1114bb4fa87e32ebfd6aa05dccfe8424b28052558ef9b51e7090c07d33
                                                • Instruction ID: d5938da5a7038f423bbb0465194ceea921f58140a17d1b8bcc16f1fa489efe5b
                                                • Opcode Fuzzy Hash: 1f6d7d1114bb4fa87e32ebfd6aa05dccfe8424b28052558ef9b51e7090c07d33
                                                • Instruction Fuzzy Hash: F8125D34700502DBDB9AAB38E484A687AA7FBCA340F50596EE605CB355DF75EC46CF80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F7918 Relevance: .6, Instructions: 550COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 3079 26f7918-26f791f 3080 26f7921-26f7924 3079->3080 3081 26f7926-26f794c 3080->3081 3082 26f7951-26f7954 3080->3082 3081->3082 3083 26f7956-26f797c 3082->3083 3084 26f7981-26f7984 3082->3084 3083->3084 3085 26f7986-26f79ac 3084->3085 3086 26f79b1-26f79b4 3084->3086 3085->3086 3088 26f79b6-26f79dc 3086->3088 3089 26f79e1-26f79e4 3086->3089 3088->3089 3091 26f79e6-26f7a0c 3089->3091 3092 26f7a11-26f7a14 3089->3092 3091->3092 3095 26f7a16-26f7a3c 3092->3095 3096 26f7a41-26f7a44 3092->3096 3095->3096 3100 26f7a46-26f7a6c 3096->3100 3101 26f7a71-26f7a74 3096->3101 3100->3101 3104 26f7a76-26f7a9c 3101->3104 3105 26f7aa1-26f7aa4 3101->3105 3104->3105 3110 26f7aa6-26f7acc 3105->3110 3111 26f7ad1-26f7ad4 3105->3111 3110->3111 3114 26f7ad6 3111->3114 3115 26f7ae1-26f7ae4 3111->3115 3124 26f7adc 3114->3124 3120 26f7ae6-26f7b0c 3115->3120 3121 26f7b11-26f7b14 3115->3121 3120->3121 3127 26f7b16-26f7b3c 3121->3127 3128 26f7b41-26f7b44 3121->3128 3124->3115 3127->3128 3130 26f7b46-26f7b6c 3128->3130 3131 26f7b71-26f7b74 3128->3131 3130->3131 3136 26f7b76-26f7b9c 3131->3136 3137 26f7ba1-26f7ba4 3131->3137 3136->3137 3139 26f7ba6-26f7bcc 3137->3139 3140 26f7bd1-26f7bd4 3137->3140 3139->3140 3145 26f7bd6-26f7bec 3140->3145 3146 26f7bf1-26f7bf4 3140->3146 3145->3146 3147 26f7bf6-26f7c1c 3146->3147 3148 26f7c21-26f7c24 3146->3148 3147->3148 3155 26f7c26-26f7c4c 3148->3155 3156 26f7c51-26f7c54 3148->3156 3155->3156 3157 26f7c56-26f7c7c 3156->3157 3158 26f7c81-26f7c84 3156->3158 3157->3158 3164 26f7c86-26f7cac 3158->3164 3165 26f7cb1-26f7cb4 3158->3165 3164->3165 3167 26f7cb6-26f7cdc 3165->3167 3168 26f7ce1-26f7ce4 3165->3168 3167->3168 3173 26f7ce6-26f7d0c 3168->3173 3174 26f7d11-26f7d14 3168->3174 3173->3174 3176 26f7d16-26f7d3c 3174->3176 3177 26f7d41-26f7d44 3174->3177 3176->3177 3183 26f7d46-26f7d6c 3177->3183 3184 26f7d71-26f7d74 3177->3184 3183->3184 3186 26f7d76-26f7d9c 3184->3186 3187 26f7da1-26f7da4 3184->3187 3186->3187 3193 26f7da6-26f7dcc 3187->3193 3194 26f7dd1-26f7dd4 3187->3194 3193->3194 3196 26f7dd6-26f7dfc 3194->3196 3197 26f7e01-26f7e04 3194->3197 3196->3197 3203 26f7e06-26f7e2c 3197->3203 3204 26f7e31-26f7e34 3197->3204 3203->3204 3206 26f7e36-26f7e5c 3204->3206 3207 26f7e61-26f7e64 3204->3207 3206->3207 3213 26f7e66-26f7e8c 3207->3213 3214 26f7e91-26f7e94 3207->3214 3213->3214 3216 26f7e96-26f7ebc 3214->3216 3217 26f7ec1-26f7ec4 3214->3217 3216->3217 3223 26f7edf-26f7ee2 3217->3223 3224 26f7ec6-26f7eda 3217->3224 3226 26f7f0f-26f7f12 3223->3226 3227 26f7ee4-26f7f0a 3223->3227 3224->3223 3233 26f7f3f-26f7f42 3226->3233 3234 26f7f14-26f7f3a 3226->3234 3227->3226 3236 26f7f6f-26f7f72 3233->3236 3237 26f7f44-26f7f6a 3233->3237 3234->3233 3243 26f7f74-26f7f76 3236->3243 3244 26f7f83-26f7f86 3236->3244 3237->3236 3293 26f7f78 call 26f9203 3243->3293 3294 26f7f78 call 26f9160 3243->3294 3295 26f7f78 call 26f9150 3243->3295 3249 26f7f88-26f7fae 3244->3249 3250 26f7fb3-26f7fb6 3244->3250 3249->3250 3251 26f7fb8-26f7fde 3250->3251 3252 26f7fe3-26f7fe6 3250->3252 3251->3252 3258 26f7fe8-26f800e 3252->3258 3259 26f8013-26f8016 3252->3259 3253 26f7f7e 3253->3244 3258->3259 3261 26f8018-26f803e 3259->3261 3262 26f8043-26f8046 3259->3262 3261->3262 3267 26f8048-26f806e 3262->3267 3268 26f8073-26f8076 3262->3268 3267->3268 3269 26f8078-26f809e 3268->3269 3270 26f80a3-26f80a6 3268->3270 3269->3270 3276 26f80a8-26f80ce 3270->3276 3277 26f80d3-26f80d5 3270->3277 3276->3277 3278 26f80dc-26f80df 3277->3278 3279 26f80d7 3277->3279 3278->3080 3286 26f80e5-26f80eb 3278->3286 3279->3278 3293->3253 3294->3253 3295->3253
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 90f8d2cf6be0252818fa5612d569ccd5f36fb62a267c34c587518aa8beac6b67
                                                • Instruction ID: 9cefa314b8c7bb36dbc26c4122c03a2adbc9623f91e4cd5be0178cc9f7bb1a24
                                                • Opcode Fuzzy Hash: 90f8d2cf6be0252818fa5612d569ccd5f36fb62a267c34c587518aa8beac6b67
                                                • Instruction Fuzzy Hash: 0A125D34700502DBDB9AAB38E484A697AA7FBCA340F50596EE605CB355CF75EC46CF80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F4A8C Relevance: .3, Instructions: 264COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 3753 26f4a8c-26f4afe 3755 26f4b48-26f4b4a 3753->3755 3756 26f4b00-26f4b0b 3753->3756 3758 26f4b4c-26f4b65 3755->3758 3756->3755 3757 26f4b0d-26f4b19 3756->3757 3759 26f4b3c-26f4b46 3757->3759 3760 26f4b1b-26f4b25 3757->3760 3764 26f4b67-26f4b73 3758->3764 3765 26f4bb1-26f4bb3 3758->3765 3759->3758 3762 26f4b29-26f4b38 3760->3762 3763 26f4b27 3760->3763 3762->3762 3766 26f4b3a 3762->3766 3763->3762 3764->3765 3768 26f4b75-26f4b81 3764->3768 3767 26f4bb5-26f4bcd 3765->3767 3766->3759 3775 26f4bcf-26f4bda 3767->3775 3776 26f4c17-26f4c19 3767->3776 3769 26f4ba4-26f4baf 3768->3769 3770 26f4b83-26f4b8d 3768->3770 3769->3767 3771 26f4b8f 3770->3771 3772 26f4b91-26f4ba0 3770->3772 3771->3772 3772->3772 3774 26f4ba2 3772->3774 3774->3769 3775->3776 3778 26f4bdc-26f4be8 3775->3778 3777 26f4c1b-26f4c33 3776->3777 3785 26f4c7d-26f4c7f 3777->3785 3786 26f4c35-26f4c40 3777->3786 3779 26f4c0b-26f4c15 3778->3779 3780 26f4bea-26f4bf4 3778->3780 3779->3777 3782 26f4bf8-26f4c07 3780->3782 3783 26f4bf6 3780->3783 3782->3782 3784 26f4c09 3782->3784 3783->3782 3784->3779 3787 26f4c81-26f4cb7 3785->3787 3786->3785 3788 26f4c42-26f4c4e 3786->3788 3796 26f4cbf-26f4cf4 3787->3796 3789 26f4c71-26f4c7b 3788->3789 3790 26f4c50-26f4c5a 3788->3790 3789->3787 3791 26f4c5e-26f4c6d 3790->3791 3792 26f4c5c 3790->3792 3791->3791 3794 26f4c6f 3791->3794 3792->3791 3794->3789 3797 26f4cfa-26f4d08 3796->3797 3798 26f4d0a-26f4d10 3797->3798 3799 26f4d11-26f4d71 3797->3799 3798->3799 3806 26f4d73-26f4d77 3799->3806 3807 26f4d81-26f4d85 3799->3807 3806->3807 3808 26f4d79 3806->3808 3809 26f4d87-26f4d8b 3807->3809 3810 26f4d95-26f4d99 3807->3810 3808->3807 3809->3810 3811 26f4d8d 3809->3811 3812 26f4d9b-26f4d9f 3810->3812 3813 26f4da9-26f4dad 3810->3813 3811->3810 3812->3813 3814 26f4da1 3812->3814 3815 26f4daf-26f4db3 3813->3815 3816 26f4dbd-26f4dc1 3813->3816 3814->3813 3815->3816 3817 26f4db5 3815->3817 3818 26f4dc3-26f4dc7 3816->3818 3819 26f4dd1-26f4dd5 3816->3819 3817->3816 3818->3819 3820 26f4dc9-26f4dcc call 26f0ab8 3818->3820 3821 26f4dd7-26f4ddb 3819->3821 3822 26f4de5 3819->3822 3820->3819 3821->3822 3824 26f4ddd-26f4de0 call 26f0ab8 3821->3824 3826 26f4de6 3822->3826 3824->3822 3826->3826
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3ad4b0dc7ab06057bd363b4b685fd48bcd92cf7d4ff46fe2b16a67367694d12b
                                                • Instruction ID: 2a1aca727d101575218e3057dda2ba8265438efd221c032b2cf57264e4a7e00d
                                                • Opcode Fuzzy Hash: 3ad4b0dc7ab06057bd363b4b685fd48bcd92cf7d4ff46fe2b16a67367694d12b
                                                • Instruction Fuzzy Hash: EDB15971E00209CFDF50CFA8C89179EBBF2AF88714F149129DA15AB794EB749881CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F9364 Relevance: .2, Instructions: 239COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0720c0739c483f7c9b7f4a11111e06992dd866d60c854954bd4f2e111672b910
                                                • Instruction ID: bee332e1edbdbadc8d41d4ace6a19dc5103307ae8ee893de4d4a9933f01b465c
                                                • Opcode Fuzzy Hash: 0720c0739c483f7c9b7f4a11111e06992dd866d60c854954bd4f2e111672b910
                                                • Instruction Fuzzy Hash: 97915D34A022149FDF98DB64D584BADBBF2EF88314F248569E906E73A4DB71DC42CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F3E75 Relevance: .2, Instructions: 237COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7108db4e9f1987d1d839da95bf07c502cebfe0439b07286253ceae851ff86585
                                                • Instruction ID: ce000deaf4c7686bc35ab2c6a793de37b5f3bfdb1588a5eac812fbfb731db2de
                                                • Opcode Fuzzy Hash: 7108db4e9f1987d1d839da95bf07c502cebfe0439b07286253ceae851ff86585
                                                • Instruction Fuzzy Hash: 9F915970E002499FDF50CFA8C9857EEBBF2AF88714F148129EA05A7754EB749846CF81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F4804 Relevance: .2, Instructions: 180COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2c37349921c61149aa97f67ab658dfb8193a24a43766d795e801023abe161065
                                                • Instruction ID: 3c66d9d22e80a09aacca3331a447de3b871729998d7e4e631b3ae6307c061122
                                                • Opcode Fuzzy Hash: 2c37349921c61149aa97f67ab658dfb8193a24a43766d795e801023abe161065
                                                • Instruction Fuzzy Hash: 017158B0E003498FDF50CFA9C88579EBBF2BF88714F148129EA15A7654EB749842CF95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F4810 Relevance: .2, Instructions: 180COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a4a2ed9b52c076a80df1eb11bdfd91bcb441753a3fc11e97641cb831f97a7848
                                                • Instruction ID: 9e63ab93d044b9a18194c81b9eb92e6b4d5c5d0e6626003c6f7f0495e609b9a8
                                                • Opcode Fuzzy Hash: a4a2ed9b52c076a80df1eb11bdfd91bcb441753a3fc11e97641cb831f97a7848
                                                • Instruction Fuzzy Hash: 2E7148B0E003498FDF54CFA9C88179EBBF2BF88714F148129EA15A7654EB749841CF95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F6F06 Relevance: .1, Instructions: 147COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 287764cfbb424ccbf300c5ca14cc99e10008c87d94a2b2b2e0e94ca281f41d63
                                                • Instruction ID: e1b8acf582b4d0498a0e37729dfb42f5e82a9a1afa8063c63e5782224ebcf198
                                                • Opcode Fuzzy Hash: 287764cfbb424ccbf300c5ca14cc99e10008c87d94a2b2b2e0e94ca281f41d63
                                                • Instruction Fuzzy Hash: 3551D170A012869FDF55DF78C4407AEB7B6EF89300F10856AE616EB790EB719846CB80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F6CDE Relevance: .1, Instructions: 142COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ed588ed435c431d38b0e3c9b2d72ec6e827432773439b24c746dfb20a7f4822b
                                                • Instruction ID: 9687b56e8f06b920e1e48d5bfdffa47a3b53f3a1e4f0e5d507771a379b68ee66
                                                • Opcode Fuzzy Hash: ed588ed435c431d38b0e3c9b2d72ec6e827432773439b24c746dfb20a7f4822b
                                                • Instruction Fuzzy Hash: A7513471D002188FDF58CFA9D884B9EBBB5FF48304F14812AE925AB395D774A840CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F5208 Relevance: .1, Instructions: 139COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 435ea4fc928540359e64d0cfa4e03fb786970464b8a7c3090c3c7398164ec23d
                                                • Instruction ID: 485d3876e5f87736b7bf997ab57f0299ec733d6b4a8b94ffadf5cfd47740d184
                                                • Opcode Fuzzy Hash: 435ea4fc928540359e64d0cfa4e03fb786970464b8a7c3090c3c7398164ec23d
                                                • Instruction Fuzzy Hash: DC41D131B012128FDF649A78C4C076E7BA6EF85210FA48969E64BDB394DB74DC81C790
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F51F8 Relevance: .1, Instructions: 136COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5343a093a88048bb081d51c4318c1a48dedd178d611a99cbdb4d4d6384fadc47
                                                • Instruction ID: 1fc41c6b982a6f8556ccef01e6bbf88eb4f715353a5e851e964b5412a6e01533
                                                • Opcode Fuzzy Hash: 5343a093a88048bb081d51c4318c1a48dedd178d611a99cbdb4d4d6384fadc47
                                                • Instruction Fuzzy Hash: 2941D331B012528FCF64DA78C8C076E7BB6EF85210FA44569D64BDB394DB34DC818791
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F6CE8 Relevance: .1, Instructions: 132COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 30253efa0c75370cd27c00ff56b5916956afce4ef7b7ffb3808968a2ba4d195a
                                                • Instruction ID: 992bedb507f826be070844fb9cb691e7e89f3105ddd2382acdcac75d65285db0
                                                • Opcode Fuzzy Hash: 30253efa0c75370cd27c00ff56b5916956afce4ef7b7ffb3808968a2ba4d195a
                                                • Instruction Fuzzy Hash: 9B513371D002188FDF58CFA9C885B9EBBB5BF48314F14812AE925BB391DB74A840CF94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F112A Relevance: .1, Instructions: 116COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8a2e2885fa7ce31f0c941e24c694dfac6f91599da7c8432e7d04a7a13646c979
                                                • Instruction ID: 5426eb932adc646bffdc8fd92ed5efd5df83e655a241837fc7a92f94b145b52a
                                                • Opcode Fuzzy Hash: 8a2e2885fa7ce31f0c941e24c694dfac6f91599da7c8432e7d04a7a13646c979
                                                • Instruction Fuzzy Hash: 8E51C9B9646942CFC70AEF28F880D593FB1FBD5306301A9EDD2045B27EDEA06955DB80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026FF305 Relevance: .1, Instructions: 112COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: db425a34e9c968718499ccef98d122cbb6de2e25a690491d137e887fe4eeadc0
                                                • Instruction ID: 738fc1cefbea076c41f26cf2ea09687962c9f308f6d36a77022dab8f88290ba9
                                                • Opcode Fuzzy Hash: db425a34e9c968718499ccef98d122cbb6de2e25a690491d137e887fe4eeadc0
                                                • Instruction Fuzzy Hash: 1F31CD31B002468FDF99AB34C490A6E7BE3AF89640F184569D506DB785EF38DC86CBD0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F1138 Relevance: .1, Instructions: 112COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 09ff89552b693ea9725d6cb72290eacb1088fd15dbe0746356027d42e6fca3c7
                                                • Instruction ID: d45685b7cd13dbb9e0a7bd45f48722f24c063d140f3d51dae4ac5f1cc124569c
                                                • Opcode Fuzzy Hash: 09ff89552b693ea9725d6cb72290eacb1088fd15dbe0746356027d42e6fca3c7
                                                • Instruction Fuzzy Hash: 3351D7B8646942CFC70AFF28F880D593FA1FBD5306301A9EDD2045B27EDEA06955DB80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026FF318 Relevance: .1, Instructions: 105COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9d1374e46001c18a1b80d78586257151a4526c3662859e46e6a0b9ea3e16f378
                                                • Instruction ID: 306fa84176e51607849ccb2fe561649e7ca107b413ae7f06a87660d4beeb2aa5
                                                • Opcode Fuzzy Hash: 9d1374e46001c18a1b80d78586257151a4526c3662859e46e6a0b9ea3e16f378
                                                • Instruction Fuzzy Hash: DF31AB31B002468FDF89AA38C494A6E7BA7AF89644F244469D506DB785EF34DC86CBD0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026FF1C8 Relevance: .1, Instructions: 98COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 354cf38b05c847142ee54181d95e8494e51adbe4baf494f67846484512d8bc4e
                                                • Instruction ID: c4d6e0d25f6d819f9fbecaca2b402b1169b698a912dc7c58481c9e4910170a67
                                                • Opcode Fuzzy Hash: 354cf38b05c847142ee54181d95e8494e51adbe4baf494f67846484512d8bc4e
                                                • Instruction Fuzzy Hash: A5315235E106559BDB58CFA4D4946AEB7B2FF88300F108929E916E7B94EB70AC42CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F5098 Relevance: .1, Instructions: 95COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d3a04c24b17e477cac3d1465e94dd6f9ab435d9f6bcc99ab4f489363a75327c0
                                                • Instruction ID: 0f490478caf1d7e83f023844aeec4aaeb54d157972d2fbd67f519012e640acd3
                                                • Opcode Fuzzy Hash: d3a04c24b17e477cac3d1465e94dd6f9ab435d9f6bcc99ab4f489363a75327c0
                                                • Instruction Fuzzy Hash: AA315A34A00255CFDF54EB34C850AAD73B6EF89344F5005A8DA06EB3A4DB36ED42CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F6F78 Relevance: .1, Instructions: 95COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 51f0623e82c48c2871087e7f691f212db9c7ca06429030a5b5e172e91d158ee8
                                                • Instruction ID: cf6dd43d58794c95411eca5bbf3818d1d721f7c4a2c4eb699d55b8a04f8fbf68
                                                • Opcode Fuzzy Hash: 51f0623e82c48c2871087e7f691f212db9c7ca06429030a5b5e172e91d158ee8
                                                • Instruction Fuzzy Hash: 6B319E74E002499BDF55CFA4D440BAEF7B6FF89300F108525EA16EB740EB71A846CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F26DC Relevance: .1, Instructions: 93COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6b46261d50a3e17e29387f6e92a99b605aacb58ff8728af87d3c70bca28cca6e
                                                • Instruction ID: 1ed44238ccd5241dce4e6d86badc89ea72afae25fb09d714ebc5d5b44fa147f3
                                                • Opcode Fuzzy Hash: 6b46261d50a3e17e29387f6e92a99b605aacb58ff8728af87d3c70bca28cca6e
                                                • Instruction Fuzzy Hash: AC410EB0900349DFEF10CFA9C590ADEBBB1FF48314F208029E919AB254DB759949CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026FF1D8 Relevance: .1, Instructions: 91COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6f273a45a8e4f3e227a9e77bdc27fcb90f02c41fe3964a6e53846569463eaccf
                                                • Instruction ID: 659321e934f28a4b53163891ce26a64e60354d773652fc5d7351b201fa9ec8cd
                                                • Opcode Fuzzy Hash: 6f273a45a8e4f3e227a9e77bdc27fcb90f02c41fe3964a6e53846569463eaccf
                                                • Instruction Fuzzy Hash: 07316035E106159BDF59DFA4D49469EBBB2FF89300F108919E906E7B94EB70AC42CB80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F26E8 Relevance: .1, Instructions: 90COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e4d7cfcd16a6d52b49d48780550ca3f31d6a2c0b430eca58b41812d631531471
                                                • Instruction ID: c4207b26da7a11dddc696aa1018e88e85d11f3a65d9167fc247a9e77a035df09
                                                • Opcode Fuzzy Hash: e4d7cfcd16a6d52b49d48780550ca3f31d6a2c0b430eca58b41812d631531471
                                                • Instruction Fuzzy Hash: B241EEB0900349DFEF14CFA9C990A9EBBB5FF48714F108029E919AB254DB75A945CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F50A8 Relevance: .1, Instructions: 89COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 424be199d2f7978f4f0bd2fed7f3abc5dabdd1a9e56620d39783cd1f616aa60c
                                                • Instruction ID: 27ef72a72ea3469341f0030d9c6172fc6ce3a2b97e7296a33aae5f3fc26622fe
                                                • Opcode Fuzzy Hash: 424be199d2f7978f4f0bd2fed7f3abc5dabdd1a9e56620d39783cd1f616aa60c
                                                • Instruction Fuzzy Hash: BA316C34600245CFDF58EB74C854AAE77B2AF89344F5004A8C606EB3A4DF369C41CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F6B88 Relevance: .1, Instructions: 88COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a53a2bfc0cfc0b21eb30f62f0199eccf9edb0f72748783d77c377c447395cb09
                                                • Instruction ID: 9ce1320aaec85785220bb50a24d6ab3b8c4d445dcbc5ab6c8480c866282cd449
                                                • Opcode Fuzzy Hash: a53a2bfc0cfc0b21eb30f62f0199eccf9edb0f72748783d77c377c447395cb09
                                                • Instruction Fuzzy Hash: FA2127313092C15FD742A739D82069E3FB6EFC7200F0541EBC144CB6A6EA399C4ACB95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F9251 Relevance: .1, Instructions: 85COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2421d9701d213a9715193c08f18c8b33c26e8a8417034280b9e5383d60335e06
                                                • Instruction ID: 68115df60484751cad17c67aa244a1516d45bf1d455a8ed3c91fe117a2ca427d
                                                • Opcode Fuzzy Hash: 2421d9701d213a9715193c08f18c8b33c26e8a8417034280b9e5383d60335e06
                                                • Instruction Fuzzy Hash: 86315031E112469BDF45DFA4D4847DEF7B2FF89300F54861AE505AB341DBB19846CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F16A0 Relevance: .1, Instructions: 82COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 328c0aba3c7ca2c93dc1afdf00511ab01feea82f1b7d2c529608f8fedfd92638
                                                • Instruction ID: 45e231b1f04d0c33391a9293e5a12f38cbc86f880a7b7bbc3ca9fa34eed33821
                                                • Opcode Fuzzy Hash: 328c0aba3c7ca2c93dc1afdf00511ab01feea82f1b7d2c529608f8fedfd92638
                                                • Instruction Fuzzy Hash: 3F212B38601141DFEF56EB38E884B293B65E7C6354F1059E9E20ECB355EBA4D805CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F9260 Relevance: .1, Instructions: 78COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e52b07c49e336d96d1444a5e17048be78a025620706df51f91dc9ccff68af446
                                                • Instruction ID: 78229027c3e23fd46cbd64fd1df9bd2c8b59448d75d6ba697fd3f1c84300c9e8
                                                • Opcode Fuzzy Hash: e52b07c49e336d96d1444a5e17048be78a025620706df51f91dc9ccff68af446
                                                • Instruction Fuzzy Hash: C4217E31E1120A9BDF45DFA4D484B9EF7B2FF89300F50861AE905EB340DBB19842CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F4F88 Relevance: .1, Instructions: 77COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8e6f79b27de9a0a17020e5d7831d74c32e253f815453fe39f40676dc475bceab
                                                • Instruction ID: 4cd9c8b8e669de3feef2b4292ccdfef8fe6e003990c231da8b060b7d2e59e0e1
                                                • Opcode Fuzzy Hash: 8e6f79b27de9a0a17020e5d7831d74c32e253f815453fe39f40676dc475bceab
                                                • Instruction Fuzzy Hash: D1211934A00149CFDF54EB78D458B9D77F1EB89305B1004A9E906EB360EB35DD41CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F9150 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 09059c77b43eab0d6b1c2e187834a8edbb93ed187dbc1b4637ee81f4fa693428
                                                • Instruction ID: 60b95b68ee11831dad5ff7a2a6122300f4657e963d62cc4992b492184bb0d328
                                                • Opcode Fuzzy Hash: 09059c77b43eab0d6b1c2e187834a8edbb93ed187dbc1b4637ee81f4fa693428
                                                • Instruction Fuzzy Hash: B721A135E1124A9FDF58CFA4D8947DEB7B2AF89300F10862AE915F7340EB719946CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0260D030 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3311745198.000000000260D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0260D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_260d000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ef856e5fdc2dee0d6f9ee3c6c02764ca9155ef8faec717550b05d16a88b44a07
                                                • Instruction ID: 048869b67f136f82da600d38935d57f7df42fd58c24632e1e8a74a8599709d99
                                                • Opcode Fuzzy Hash: ef856e5fdc2dee0d6f9ee3c6c02764ca9155ef8faec717550b05d16a88b44a07
                                                • Instruction Fuzzy Hash: F1210371504284DFDB18DF54D9C0F26BB61EB84314F20C66DD90E0A392C776D447DA61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0260D006 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3311745198.000000000260D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0260D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_260d000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1b288295eb7fc3b455cbeb6a9ad9523f29c8f564bcb51edae274c75375137bca
                                                • Instruction ID: 6e6202b0f5c11db2f409fab10cb0296c20895a2e41de7cee8c663c524b708ed1
                                                • Opcode Fuzzy Hash: 1b288295eb7fc3b455cbeb6a9ad9523f29c8f564bcb51edae274c75375137bca
                                                • Instruction Fuzzy Hash: E12168710093C09FCB078F60C990B11BF71EB46214F29C5DBD8898F2A3C33A980ADB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F1380 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f48bf64e40189984860ddef0538492890b9a20b96e8210d8ade0e013136ffc1b
                                                • Instruction ID: 1cd18a71f84b2652a075ce74935460a2b745167377aef3e1847eec3746e54b3c
                                                • Opcode Fuzzy Hash: f48bf64e40189984860ddef0538492890b9a20b96e8210d8ade0e013136ffc1b
                                                • Instruction Fuzzy Hash: 3C21D238A01200DBEFB5A628D084B6D3762E787355F1008BAD60EC73D1DBA89889C742
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F9A28 Relevance: .1, Instructions: 71COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a7b7022ce99c3fe7bd3aa36cf8a8c738ce4b5368437cedbe3dddf48d8914de04
                                                • Instruction ID: de27f7251f50d537b0ddd490452d903be2fee6cc6a565697e0680172a175a1a6
                                                • Opcode Fuzzy Hash: a7b7022ce99c3fe7bd3aa36cf8a8c738ce4b5368437cedbe3dddf48d8914de04
                                                • Instruction Fuzzy Hash: E2219D31A002058FEF54DB69C854BAE7BF6BF88714F108069E605EB3A4DBB19C00CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F9160 Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 25993e88911e25d1490b9ea6177c059ca13b0f001252461b95c49ee4c7644c9f
                                                • Instruction ID: 7a21956929330e21172445842a116be64b78ee7cef763be25ee275ffa98f70fb
                                                • Opcode Fuzzy Hash: 25993e88911e25d1490b9ea6177c059ca13b0f001252461b95c49ee4c7644c9f
                                                • Instruction Fuzzy Hash: C2218030E0120A9BDF58CFA4D8946DEB7B2AF89300F10862AE916B7340DB71A846CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F1879 Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 27132ccef9102ace4a550f7ae9f520ac9f98f8f076544c5db8eecc0f527ec11f
                                                • Instruction ID: 3af09b0cbfe85a12da38897b5be5fdf11757b217f55bb6cd47abe077982be423
                                                • Opcode Fuzzy Hash: 27132ccef9102ace4a550f7ae9f520ac9f98f8f076544c5db8eecc0f527ec11f
                                                • Instruction Fuzzy Hash: 8F215C74B04245CFDF94EB34C5547AD77F2AB8A385F2004A8C60AEB394DB369D41CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F1888 Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 76af80894d0a510aada794f26c14f6dcfdb78453390ef88b446b55097e1c5896
                                                • Instruction ID: e3807c18b27941c75d1eab4120074e8d15d3d739e564b2f6757237a7614f1f39
                                                • Opcode Fuzzy Hash: 76af80894d0a510aada794f26c14f6dcfdb78453390ef88b446b55097e1c5896
                                                • Instruction Fuzzy Hash: 1D212C30B04249CFDF54EB78C5547AD77F6AB8A285F1004A8C60AEB394DB769D41CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F16B0 Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b823461ccb7f5abb80eabb5eb9edb8e49ee5f2b5a52d706b30ab2d2e0ed76a35
                                                • Instruction ID: c5ec52c68a3a0c216873761092df562aa9cb875733b9bf5e3a32a8606a8b3d40
                                                • Opcode Fuzzy Hash: b823461ccb7f5abb80eabb5eb9edb8e49ee5f2b5a52d706b30ab2d2e0ed76a35
                                                • Instruction Fuzzy Hash: 1421D538600401CFEF55FB38E884B293766E7CA354F1059A8E20ECB359DBA4D8448B90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F4F98 Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cca56078ee9c8d4de059ca2053b0ed887004e3bbb93fd332456a6453ba5c3747
                                                • Instruction ID: e328d944b9609c99308eac4ea4d3be5644882818d6406d8d08388d0d049b0117
                                                • Opcode Fuzzy Hash: cca56078ee9c8d4de059ca2053b0ed887004e3bbb93fd332456a6453ba5c3747
                                                • Instruction Fuzzy Hash: 91211934B00248CFDF54EB78D558BAD77F2AF89305B1048A9EA06EB3A0DB359D41CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F0838 Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7ec1a764e8e082282104f9ba3d85e2ea5b3d741df1af6d4be2b19c084363fce3
                                                • Instruction ID: 5acec79d017bfcf817b6cef1ac8064af086801db8cb879b5236e220f6b7cadc4
                                                • Opcode Fuzzy Hash: 7ec1a764e8e082282104f9ba3d85e2ea5b3d741df1af6d4be2b19c084363fce3
                                                • Instruction Fuzzy Hash: 87112730B012499FEFA516B594007793752EB81314F20487AC752CB38BEB64C8428BC1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F0848 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 98b1e331329e82d9f24230708c76eb7ba976cf796add2465753faaa494ffeca8
                                                • Instruction ID: a42ad39f20773825eef227354f3c74024adcb29a1462b30af14db38135586096
                                                • Opcode Fuzzy Hash: 98b1e331329e82d9f24230708c76eb7ba976cf796add2465753faaa494ffeca8
                                                • Instruction Fuzzy Hash: 5C119130B002099FEFA46A79D804B3A3756FB85314F20497AD616CF38EDB61CC428BD1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F17C6 Relevance: .1, Instructions: 61COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4e08f8c3519238e4eecb9700b552c1c1a91e63c45f1fb038ac9392fce531ab5f
                                                • Instruction ID: bb885a0a20ec8e6164c7b5896cd0e50b793210aa62305b80be156a51c81077fb
                                                • Opcode Fuzzy Hash: 4e08f8c3519238e4eecb9700b552c1c1a91e63c45f1fb038ac9392fce531ab5f
                                                • Instruction Fuzzy Hash: D5110679F00251DFDF50AB75980865E7BEAEB8D2A4F000874E60ED3340EB34D8018B90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F80F1 Relevance: .1, Instructions: 60COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5dafe379305ec28493cdea5b937ff8dfc850c4bd220a742fd9fbe47cee7b5d6e
                                                • Instruction ID: 0c6dedd25719853f53800a443913fbb14b6385cb828793c171510de116d160cc
                                                • Opcode Fuzzy Hash: 5dafe379305ec28493cdea5b937ff8dfc850c4bd220a742fd9fbe47cee7b5d6e
                                                • Instruction Fuzzy Hash: B711B234600186DFEF56EB78F440AAD7BA2EBC9314F4046ADC6049B651DFB5AD028B81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F1492 Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6d3e9cf2fe910ef3de6e455c18b03064b4a66bfd21b78606c06502bbfb12e188
                                                • Instruction ID: aa5b1a82f6352c2dac1ebc3b03e63d19e10d2b326c2e5bd5f625e6b4cd8e56cd
                                                • Opcode Fuzzy Hash: 6d3e9cf2fe910ef3de6e455c18b03064b4a66bfd21b78606c06502bbfb12e188
                                                • Instruction Fuzzy Hash: 1D11A171A01215DFCF61EFB884402AEBBF5EB49250B2104BAD909E7301E731E842CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F1498 Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 477e8af88391dc5fbfcba258cacb28661ba2283fbaaac5e35e896736425eec86
                                                • Instruction ID: fa2a30e7b56197be31ad6b36a185fb5263abcee7246daa91cdf216ab286c02fc
                                                • Opcode Fuzzy Hash: 477e8af88391dc5fbfcba258cacb28661ba2283fbaaac5e35e896736425eec86
                                                • Instruction Fuzzy Hash: 95018071A01215DBCF61EFB884502AE7BF6EB49254B2504BADA09E7301E735E841CF95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F9890 Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 500ca58cd386c3c31f85643a6cb92a5a27bf728f2db45f8e36d648a6bd1c9d29
                                                • Instruction ID: da9f459bb9bf7bac8a62f08b63d88ea66fcf627a984d8df8c8c3ee87f18a4e81
                                                • Opcode Fuzzy Hash: 500ca58cd386c3c31f85643a6cb92a5a27bf728f2db45f8e36d648a6bd1c9d29
                                                • Instruction Fuzzy Hash: A201B531A002058BDB44DF55D88478ABB66FFC5310F54C168C9086B29AEBB09905CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F1524 Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c479fb31686b43a16ecdea198e1b8567d73ae9f782866cc77304ffa373adeaac
                                                • Instruction ID: 62550abcf81b5af15bf7d0f92a08ac5325069553985f31c987d33c7312649226
                                                • Opcode Fuzzy Hash: c479fb31686b43a16ecdea198e1b8567d73ae9f782866cc77304ffa373adeaac
                                                • Instruction Fuzzy Hash: A9F02BB7A05150DFCF528FE884901AC7F71EB9A26171900DBDA0ADB311D335E502CB11
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F7090 Relevance: .0, Instructions: 34COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 439b8fd8a280c06bf91cceb5814dc78bc0a18096b2855495742918e5dd7c94f1
                                                • Instruction ID: 3789edf4d40182898e282889e4de3bbcbb1a95e14f6f7bd1c75ad5ac61c57897
                                                • Opcode Fuzzy Hash: 439b8fd8a280c06bf91cceb5814dc78bc0a18096b2855495742918e5dd7c94f1
                                                • Instruction Fuzzy Hash: 9EF0C439B415488FC714DB64D598BAC77B2EF88315F5044A8E5069B3A4CB31AD42CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 026F8100 Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3312138611.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_26f0000_OKJ2402PRT000025.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2d1fe826b46605fd7d51763f62d4e75aad3f76d53c07356ef696e879c694b2dd
                                                • Instruction ID: 3fb278d3b7cc5c23c3b0e639a30fa26d971df4604b5c740bb721b9b818794408
                                                • Opcode Fuzzy Hash: 2d1fe826b46605fd7d51763f62d4e75aad3f76d53c07356ef696e879c694b2dd
                                                • Instruction Fuzzy Hash: 77F03C3490114AEFEB45FBB8F8819AD7BB5EBC4300F5056ADC504AB254EEB12E459B81
                                                Uniqueness

                                                Uniqueness Score: -1.00%