Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
yMHzNMo3xY.exe

Overview

General Information

Sample name:yMHzNMo3xY.exe
renamed because original name is a hash value
Original sample name:097b18a8698466754be20ba312481236.exe
Analysis ID:1430802
MD5:097b18a8698466754be20ba312481236
SHA1:a978a16fa32c80934417ebb4912a5c69b44b4236
SHA256:97f689bdc4e9fd3ad22d44f57b2d80f26813b67bddcd816fe4de63a7721be893
Tags:32exetrojan
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • yMHzNMo3xY.exe (PID: 7428 cmdline: "C:\Users\user\Desktop\yMHzNMo3xY.exe" MD5: 097B18A8698466754BE20BA312481236)
    • yMHzNMo3xY.exe (PID: 7460 cmdline: "C:\Users\user\Desktop\yMHzNMo3xY.exe" MD5: 097B18A8698466754BE20BA312481236)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "cp5ua.hyperhost.ua", "Username": "prosperlog@steuler-kch.org", "Password": " 7213575aceACE@#  "}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.2887031548.00000000029EE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.2887031548.0000000002A19000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000001.00000002.2886135296.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000001.00000002.2886135296.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.1654591793.0000000004F20000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_DLInjector02Detects downloader injectorditekSHen
          • 0x64c6b:$x1: In$J$ct0r
          Click to see the 9 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.yMHzNMo3xY.exe.39edd90.3.raw.unpackMALWARE_Win_DLInjector02Detects downloader injectorditekSHen
          • 0x64c6b:$x1: In$J$ct0r
          0.2.yMHzNMo3xY.exe.39edd90.3.unpackMALWARE_Win_DLInjector02Detects downloader injectorditekSHen
          • 0x62e6b:$x1: In$J$ct0r
          0.2.yMHzNMo3xY.exe.3acf9f0.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            0.2.yMHzNMo3xY.exe.3acf9f0.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.yMHzNMo3xY.exe.3acf9f0.4.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
              • 0x31719:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
              • 0x3178b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
              • 0x31815:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
              • 0x318a7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
              • 0x31911:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
              • 0x31983:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
              • 0x31a19:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
              • 0x31aa9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
              Click to see the 16 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Suspicious Outbound SMTP Connections
              Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 91.235.128.141, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\yMHzNMo3xY.exe, Initiated: true, ProcessId: 7460, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: yMHzNMo3xY.exeAvira: detected
              Found malware configuration
              Source: 1.2.yMHzNMo3xY.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "cp5ua.hyperhost.ua", "Username": "prosperlog@steuler-kch.org", "Password": " 7213575aceACE@# "}
              Multi AV Scanner detection for submitted file
              Source: yMHzNMo3xY.exeReversingLabs: Detection: 31%
              Source: yMHzNMo3xY.exeVirustotal: Detection: 37%Perma Link
              Machine Learning detection for sample
              Source: yMHzNMo3xY.exeJoe Sandbox ML: detected
              Source: yMHzNMo3xY.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: yMHzNMo3xY.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: yMHzNMo3xY.exe, 00000000.00000002.1656249047.0000000005190000.00000004.08000000.00040000.00000000.sdmp, yMHzNMo3xY.exe, 00000000.00000002.1653831470.0000000002981000.00000004.00000800.00020000.00000000.sdmp
              Source: global trafficTCP traffic: 192.168.2.4:49730 -> 91.235.128.141:587
              Source: Joe Sandbox ViewIP Address: 91.235.128.141 91.235.128.141
              Source: global trafficTCP traffic: 192.168.2.4:49730 -> 91.235.128.141:587
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownDNS traffic detected: queries for: cp5ua.hyperhost.ua
              Source: yMHzNMo3xY.exe, 00000001.00000002.2887031548.00000000029F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cp5ua.hyperhost.ua
              Source: yMHzNMo3xY.exe, 00000001.00000002.2889945887.00000000061B6000.00000004.00000020.00020000.00000000.sdmp, yMHzNMo3xY.exe, 00000001.00000002.2887031548.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, yMHzNMo3xY.exe, 00000001.00000002.2889899904.0000000006170000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: yMHzNMo3xY.exe, 00000001.00000002.2889945887.00000000061E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: yMHzNMo3xY.exe, 00000001.00000002.2889945887.00000000061B6000.00000004.00000020.00020000.00000000.sdmp, yMHzNMo3xY.exe, 00000001.00000002.2887031548.00000000029F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
              Source: yMHzNMo3xY.exe, 00000001.00000002.2889945887.00000000061B6000.00000004.00000020.00020000.00000000.sdmp, yMHzNMo3xY.exe, 00000001.00000002.2887031548.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, yMHzNMo3xY.exe, 00000001.00000002.2889899904.0000000006170000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: yMHzNMo3xY.exe, 00000001.00000002.2889945887.00000000061B6000.00000004.00000020.00020000.00000000.sdmp, yMHzNMo3xY.exe, 00000001.00000002.2887031548.00000000029F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
              Source: yMHzNMo3xY.exe, 00000000.00000002.1653947225.0000000003A5A000.00000004.00000800.00020000.00000000.sdmp, yMHzNMo3xY.exe, 00000001.00000002.2886135296.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
              Source: yMHzNMo3xY.exe, 00000001.00000002.2889945887.00000000061B6000.00000004.00000020.00020000.00000000.sdmp, yMHzNMo3xY.exe, 00000001.00000002.2887031548.00000000029F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to log keystrokes (.Net Source)
              Source: 0.2.yMHzNMo3xY.exe.3acf9f0.4.raw.unpack, NDL2m67zO.cs.Net Code: xEQ1ZU
              Source: 0.2.yMHzNMo3xY.exe.3b0a420.2.raw.unpack, NDL2m67zO.cs.Net Code: xEQ1ZU

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 0.2.yMHzNMo3xY.exe.39edd90.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
              Source: 0.2.yMHzNMo3xY.exe.39edd90.3.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
              Source: 0.2.yMHzNMo3xY.exe.3acf9f0.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 0.2.yMHzNMo3xY.exe.3b0a420.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 0.2.yMHzNMo3xY.exe.4f20000.5.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
              Source: 0.2.yMHzNMo3xY.exe.4f20000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
              Source: 1.2.yMHzNMo3xY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 0.2.yMHzNMo3xY.exe.3b0a420.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 0.2.yMHzNMo3xY.exe.3acf9f0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 0.2.yMHzNMo3xY.exe.2991ac8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
              Source: 0.2.yMHzNMo3xY.exe.298f288.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
              Source: 00000000.00000002.1654591793.0000000004F20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects downloader injector Author: ditekSHen
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeCode function: 0_2_0295AA600_2_0295AA60
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeCode function: 0_2_029591880_2_02959188
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeCode function: 1_2_04EC3E881_2_04EC3E88
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeCode function: 1_2_04EC4AA01_2_04EC4AA0
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeCode function: 1_2_04EC9B281_2_04EC9B28
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeCode function: 1_2_04EC41D01_2_04EC41D0
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeCode function: 1_2_04ECD2801_2_04ECD280
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeCode function: 1_2_04EC0CB51_2_04EC0CB5
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeCode function: 1_2_04EC0D241_2_04EC0D24
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeCode function: 1_2_05F8BD101_2_05F8BD10
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeCode function: 1_2_05F8DCCD1_2_05F8DCCD
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeCode function: 1_2_05F83F401_2_05F83F40
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeCode function: 1_2_05F82EF81_2_05F82EF8
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeCode function: 1_2_05F856D01_2_05F856D0
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeCode function: 1_2_05F800401_2_05F80040
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeCode function: 1_2_05F88B781_2_05F88B78
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeCode function: 1_2_05F89AF01_2_05F89AF0
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeCode function: 1_2_05F84FF01_2_05F84FF0
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeCode function: 1_2_05F8362F1_2_05F8362F
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeCode function: 1_2_04ECD2781_2_04ECD278
              Source: yMHzNMo3xY.exe, 00000000.00000000.1649655296.000000000057E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamebitsadmin.exel% vs yMHzNMo3xY.exe
              Source: yMHzNMo3xY.exe, 00000000.00000002.1656249047.0000000005190000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs yMHzNMo3xY.exe
              Source: yMHzNMo3xY.exe, 00000000.00000002.1653184883.0000000000CFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs yMHzNMo3xY.exe
              Source: yMHzNMo3xY.exe, 00000000.00000002.1653947225.0000000003985000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameExample.dll0 vs yMHzNMo3xY.exe
              Source: yMHzNMo3xY.exe, 00000000.00000002.1653947225.0000000003A5A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec8974acb-3a71-4081-a494-e71aa35deda7.exe4 vs yMHzNMo3xY.exe
              Source: yMHzNMo3xY.exe, 00000000.00000002.1653831470.0000000002981000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs yMHzNMo3xY.exe
              Source: yMHzNMo3xY.exe, 00000000.00000002.1653831470.0000000002981000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec8974acb-3a71-4081-a494-e71aa35deda7.exe4 vs yMHzNMo3xY.exe
              Source: yMHzNMo3xY.exe, 00000000.00000002.1654591793.0000000004F20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameExample.dll0 vs yMHzNMo3xY.exe
              Source: yMHzNMo3xY.exe, 00000001.00000002.2886135296.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec8974acb-3a71-4081-a494-e71aa35deda7.exe4 vs yMHzNMo3xY.exe
              Source: yMHzNMo3xY.exe, 00000001.00000002.2886283255.0000000000AF8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs yMHzNMo3xY.exe
              Source: yMHzNMo3xY.exeBinary or memory string: OriginalFilenamebitsadmin.exel% vs yMHzNMo3xY.exe
              Source: yMHzNMo3xY.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 0.2.yMHzNMo3xY.exe.39edd90.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
              Source: 0.2.yMHzNMo3xY.exe.39edd90.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
              Source: 0.2.yMHzNMo3xY.exe.3acf9f0.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 0.2.yMHzNMo3xY.exe.3b0a420.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 0.2.yMHzNMo3xY.exe.4f20000.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
              Source: 0.2.yMHzNMo3xY.exe.4f20000.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
              Source: 1.2.yMHzNMo3xY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 0.2.yMHzNMo3xY.exe.3b0a420.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 0.2.yMHzNMo3xY.exe.3acf9f0.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 0.2.yMHzNMo3xY.exe.2991ac8.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
              Source: 0.2.yMHzNMo3xY.exe.298f288.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
              Source: 00000000.00000002.1654591793.0000000004F20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
              Source: yMHzNMo3xY.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: 0.2.yMHzNMo3xY.exe.4f20000.5.raw.unpack, DarkListView.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.yMHzNMo3xY.exe.39edd90.3.raw.unpack, DarkListView.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.yMHzNMo3xY.exe.3acf9f0.4.raw.unpack, OTWUo99bfyR.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.yMHzNMo3xY.exe.3acf9f0.4.raw.unpack, OTWUo99bfyR.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.yMHzNMo3xY.exe.3acf9f0.4.raw.unpack, Ui9qhZiA7.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.yMHzNMo3xY.exe.3acf9f0.4.raw.unpack, Ui9qhZiA7.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 0.2.yMHzNMo3xY.exe.3acf9f0.4.raw.unpack, BqMB7yHhrXg.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.yMHzNMo3xY.exe.3acf9f0.4.raw.unpack, BqMB7yHhrXg.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.yMHzNMo3xY.exe.3acf9f0.4.raw.unpack, BqMB7yHhrXg.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.yMHzNMo3xY.exe.3acf9f0.4.raw.unpack, BqMB7yHhrXg.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.yMHzNMo3xY.exe.4f20000.5.raw.unpack, DarkComboBox.csBase64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
              Source: 0.2.yMHzNMo3xY.exe.39edd90.3.raw.unpack, DarkComboBox.csBase64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@1/1
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yMHzNMo3xY.exe.logJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeMutant created: NULL
              Source: yMHzNMo3xY.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: yMHzNMo3xY.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: yMHzNMo3xY.exeReversingLabs: Detection: 31%
              Source: yMHzNMo3xY.exeVirustotal: Detection: 37%
              Source: unknownProcess created: C:\Users\user\Desktop\yMHzNMo3xY.exe "C:\Users\user\Desktop\yMHzNMo3xY.exe"
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess created: C:\Users\user\Desktop\yMHzNMo3xY.exe "C:\Users\user\Desktop\yMHzNMo3xY.exe"
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess created: C:\Users\user\Desktop\yMHzNMo3xY.exe "C:\Users\user\Desktop\yMHzNMo3xY.exe"Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
              Source: yMHzNMo3xY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: yMHzNMo3xY.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: yMHzNMo3xY.exe, 00000000.00000002.1656249047.0000000005190000.00000004.08000000.00040000.00000000.sdmp, yMHzNMo3xY.exe, 00000000.00000002.1653831470.0000000002981000.00000004.00000800.00020000.00000000.sdmp
              Source: yMHzNMo3xY.exeStatic PE information: 0xF952DBE8 [Fri Jul 21 20:30:32 2102 UTC]
              Source: yMHzNMo3xY.exeStatic PE information: section name: .text entropy: 7.797131240569471
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: Process Memory Space: yMHzNMo3xY.exe PID: 7428, type: MEMORYSTR
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeMemory allocated: 2910000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeMemory allocated: 2980000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeMemory allocated: 4980000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeMemory allocated: 2970000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeMemory allocated: 29A0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeMemory allocated: 49A0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeWindow / User API: threadDelayed 1296Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeWindow / User API: threadDelayed 8569Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7452Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -25825441703193356s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -100000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7560Thread sleep count: 1296 > 30Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -99886s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7560Thread sleep count: 8569 > 30Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -99764s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -99656s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -99547s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -99437s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -99328s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -99219s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -99094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -98984s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -98875s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -98762s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -98656s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -98547s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -98401s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -98297s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -98188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -98076s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -97969s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -97860s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -97735s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -97610s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -97485s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -97343s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -97234s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -97125s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -97016s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -96906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -96797s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -96679s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -96563s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -96453s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -96344s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -96234s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -96125s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -96016s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -95906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -95797s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -95685s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -95578s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -95469s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -95360s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -95235s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -95110s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -94993s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -94875s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -94766s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -94656s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -94547s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552Thread sleep time: -94438s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 100000Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 99886Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 99764Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 99656Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 99547Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 99437Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 99328Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 99219Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 99094Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 98984Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 98875Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 98762Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 98656Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 98547Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 98401Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 98297Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 98188Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 98076Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 97969Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 97860Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 97735Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 97610Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 97485Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 97343Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 97234Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 97125Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 97016Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 96906Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 96797Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 96679Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 96563Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 96453Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 96344Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 96234Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 96125Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 96016Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 95906Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 95797Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 95685Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 95578Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 95469Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 95360Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 95235Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 95110Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 94993Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 94875Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 94766Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 94656Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 94547Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeThread delayed: delay time: 94438Jump to behavior
              Source: yMHzNMo3xY.exe, 00000001.00000002.2889899904.0000000006170000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              .NET source code references suspicious native API functions
              Source: 0.2.yMHzNMo3xY.exe.3acf9f0.4.raw.unpack, W4ip.csReference to suspicious API methods: ve645LMXEKU.OpenProcess(lUA9OgW.DuplicateHandle, bInheritHandle: true, (uint)aT9Qdac.ProcessID)
              Source: 0.2.yMHzNMo3xY.exe.2991ac8.1.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
              Source: 0.2.yMHzNMo3xY.exe.2991ac8.1.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
              Source: 0.2.yMHzNMo3xY.exe.2991ac8.1.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.csReference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeMemory written: C:\Users\user\Desktop\yMHzNMo3xY.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeProcess created: C:\Users\user\Desktop\yMHzNMo3xY.exe "C:\Users\user\Desktop\yMHzNMo3xY.exe"Jump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeQueries volume information: C:\Users\user\Desktop\yMHzNMo3xY.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeQueries volume information: C:\Users\user\Desktop\yMHzNMo3xY.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected AgentTesla
              Source: Yara matchFile source: 0.2.yMHzNMo3xY.exe.3acf9f0.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.yMHzNMo3xY.exe.3b0a420.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.yMHzNMo3xY.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.yMHzNMo3xY.exe.3b0a420.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.yMHzNMo3xY.exe.3acf9f0.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.2887031548.00000000029EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2887031548.0000000002A19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2886135296.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2887031548.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1653947225.0000000003A5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: yMHzNMo3xY.exe PID: 7428, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: yMHzNMo3xY.exe PID: 7460, type: MEMORYSTR
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\yMHzNMo3xY.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: Yara matchFile source: 0.2.yMHzNMo3xY.exe.3acf9f0.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.yMHzNMo3xY.exe.3b0a420.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.yMHzNMo3xY.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.yMHzNMo3xY.exe.3b0a420.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.yMHzNMo3xY.exe.3acf9f0.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.2886135296.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2887031548.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1653947225.0000000003A5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: yMHzNMo3xY.exe PID: 7428, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: yMHzNMo3xY.exe PID: 7460, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected AgentTesla
              Source: Yara matchFile source: 0.2.yMHzNMo3xY.exe.3acf9f0.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.yMHzNMo3xY.exe.3b0a420.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.yMHzNMo3xY.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.yMHzNMo3xY.exe.3b0a420.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.yMHzNMo3xY.exe.3acf9f0.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.2887031548.00000000029EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2887031548.0000000002A19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2886135296.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2887031548.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1653947225.0000000003A5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: yMHzNMo3xY.exe PID: 7428, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: yMHzNMo3xY.exe PID: 7460, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Disable or Modify Tools              		2
              OS Credential Dumping              		1
              File and Directory Discovery              		Remote Services11
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Native API              		Boot or Logon Initialization Scripts111
              Process Injection              		1
              Deobfuscate/Decode Files or Information              		1
              Input Capture              		24
              System Information Discovery              		Remote Desktop Protocol2
              Data from Local System              		1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Obfuscated Files or Information              		1
              Credentials in Registry              		1
              Query Registry              		SMB/Windows Admin Shares1
              Email Collection              		1
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
              Software Packing              		NTDS111
              Security Software Discovery              		Distributed Component Object Model1
              Input Capture              		11
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Timestomp              		LSA Secrets1
              Process Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials141
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Masquerading              		DCSync1
              Application Window Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
              Virtualization/Sandbox Evasion              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt111
              Process Injection              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              yMHzNMo3xY.exe32%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
              yMHzNMo3xY.exe37%VirustotalBrowse
              yMHzNMo3xY.exe100%AviraHEUR/AGEN.1305389
              yMHzNMo3xY.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
              https://sectigo.com/CPS00%URL Reputationsafe
              http://ocsp.sectigo.com00%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              cp5ua.hyperhost.ua
              		91.235.128.141
              		truefalse
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#yMHzNMo3xY.exe, 00000001.00000002.2889945887.00000000061B6000.00000004.00000020.00020000.00000000.sdmp, yMHzNMo3xY.exe, 00000001.00000002.2887031548.00000000029F6000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://cp5ua.hyperhost.uayMHzNMo3xY.exe, 00000001.00000002.2887031548.00000000029F6000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://sectigo.com/CPS0yMHzNMo3xY.exe, 00000001.00000002.2889945887.00000000061B6000.00000004.00000020.00020000.00000000.sdmp, yMHzNMo3xY.exe, 00000001.00000002.2887031548.00000000029F6000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://account.dyn.com/yMHzNMo3xY.exe, 00000000.00000002.1653947225.0000000003A5A000.00000004.00000800.00020000.00000000.sdmp, yMHzNMo3xY.exe, 00000001.00000002.2886135296.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                    		high
                    http://ocsp.sectigo.com0yMHzNMo3xY.exe, 00000001.00000002.2889945887.00000000061B6000.00000004.00000020.00020000.00000000.sdmp, yMHzNMo3xY.exe, 00000001.00000002.2887031548.00000000029F6000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    91.235.128.141
                    		cp5ua.hyperhost.uaUkraine
                    		15626ITLASUAfalse

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1430802
                    Start date and time:2024-04-24 07:46:09 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 6m 12s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:6
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:yMHzNMo3xY.exe
                    renamed because original name is a hash value
                    Original Sample Name:097b18a8698466754be20ba312481236.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@3/1@1/1
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 60
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    07:47:00API Interceptor54x Sleep call for process: yMHzNMo3xY.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    91.235.128.141Payment Slip05042024.exeGet hashmaliciousAgentTeslaBrowse
                      iiafzj49BP.exeGet hashmaliciousAgentTeslaBrowse
                        DHL Shipping notification-PDF.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                          SWIFT MESAJI_PDF.exeGet hashmaliciousAgentTeslaBrowse
                            soya crypted.exeGet hashmaliciousAgentTeslaBrowse
                              dekont_html.exeGet hashmaliciousAgentTeslaBrowse
                                [#Uc5d0#Uc2a4#Ud53c#Ucf00#Uc774-220620]#Uacac#Uc801#Uc11c.scr.exeGet hashmaliciousAgentTeslaBrowse
                                  F#U0130YAT TEKL#U0130F #U0130STE#U011e#U0130_PDF.exeGet hashmaliciousAgentTeslaBrowse
                                    Dekont_html.exeGet hashmaliciousAgentTeslaBrowse
                                      soya crypt.exeGet hashmaliciousAgentTeslaBrowse

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        cp5ua.hyperhost.uaPayment Slip05042024.exeGet hashmaliciousAgentTeslaBrowse
                                        • 91.235.128.141
                                        iiafzj49BP.exeGet hashmaliciousAgentTeslaBrowse
                                        • 91.235.128.141
                                        DHL Shipping notification-PDF.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 91.235.128.141
                                        SWIFT MESAJI_PDF.exeGet hashmaliciousAgentTeslaBrowse
                                        • 91.235.128.141
                                        soya crypted.exeGet hashmaliciousAgentTeslaBrowse
                                        • 91.235.128.141
                                        dekont_html.exeGet hashmaliciousAgentTeslaBrowse
                                        • 91.235.128.141
                                        [#Uc5d0#Uc2a4#Ud53c#Ucf00#Uc774-220620]#Uacac#Uc801#Uc11c.scr.exeGet hashmaliciousAgentTeslaBrowse
                                        • 91.235.128.141
                                        F#U0130YAT TEKL#U0130F #U0130STE#U011e#U0130_PDF.exeGet hashmaliciousAgentTeslaBrowse
                                        • 91.235.128.141
                                        Dekont_html.exeGet hashmaliciousAgentTeslaBrowse
                                        • 91.235.128.141
                                        soya crypt.exeGet hashmaliciousAgentTeslaBrowse
                                        • 91.235.128.141

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        ITLASUAcopy#10476235.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 5.34.182.232
                                        Receipt_681002.exeGet hashmaliciousAgentTesla, AsyncRAT, PureLog StealerBrowse
                                        • 5.34.182.232
                                        SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                        • 5.34.182.232
                                        Receipt_7814002.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 5.34.182.232
                                        IMG_210112052.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 5.34.182.232
                                        Receipt_032114005.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 5.34.182.232
                                        Remittance0098876.exeGet hashmaliciousAgentTeslaBrowse
                                        • 195.54.163.133
                                        PO24-0626.exeGet hashmaliciousAgentTeslaBrowse
                                        • 195.54.163.133
                                        fhSHwOyb33.elfGet hashmaliciousGafgyt, MiraiBrowse
                                        • 217.12.214.61
                                        Payment Slip05042024.exeGet hashmaliciousAgentTeslaBrowse
                                        • 91.235.128.141

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yMHzNMo3xY.exe.log

                                        Download File
                                        Process:C:\Users\user\Desktop\yMHzNMo3xY.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):706
                                        Entropy (8bit):5.349842958726647
                                        Encrypted:false
                                        SSDEEP:12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M9XKbbDLI4MWuPJKAVKhat92n4M6:MLUE4K5E4KH1qE4qXKDE4KhKiKhg84j
                                        MD5:9BA266AD16952A9A57C3693E0BCFED48
                                        SHA1:5DB70A3A7F1DB4E3879265AB336B2FA1AFBCECD5
                                        SHA-256:A6DFD14E82D7D47195A1EC7F31E64C2820AB8721EF4B5825E21E742093B55C0E
                                        SHA-512:678E1F639379FC24919B7CF562FA19CE53363CBD4B0EAB66486F6F8D5DD5958DE3AAE8D7842EE868EFCC39D907FDC1A3ACF464E29D37B0DAEE9874C39730FE8E
                                        Malicious:false
                                        Reputation:moderate, very likely benign file
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):7.791291293214221
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                        • Win32 Executable (generic) a (10002005/4) 49.97%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        • DOS Executable Generic (2002/1) 0.01%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:yMHzNMo3xY.exe
                                        File size:437'760 bytes
                                        MD5:097b18a8698466754be20ba312481236
                                        SHA1:a978a16fa32c80934417ebb4912a5c69b44b4236
                                        SHA256:97f689bdc4e9fd3ad22d44f57b2d80f26813b67bddcd816fe4de63a7721be893
                                        SHA512:7c59ea659ef78a97e3325c93a7241ff5848a781193a63e6119218f3f61b424dbd623c2a3e9063e77698ce8a9b86285caee978dd2eba24a45ac1f744338f4bf0c
                                        SSDEEP:12288:VEPWb55F18/EeTUsweRDKoZNS8oJkA6/RAsrhuMxo:VEeb11leTVIoZNQt6ekT
                                        TLSH:9B94F1A4DBEFD906F39A02B56CA325C91ABFF465873606F238033C2660429C7C59B7D0
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....R...............0.................. ........@.. ....................... ............@................................

                                        File Icon

                                        Icon Hash:90cececece8e8eb0

                                        Static PE Info

                                        General

                                        Entrypoint:0x46c0fe
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                        Time Stamp:0xF952DBE8 [Fri Jul 21 20:30:32 2102 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Entrypoint Preview

                                        Instruction
                                        jmp dword ptr [00402000h]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x6c0b00x4b.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x6e0000x646.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x700000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000x6a1040x6a200d175bb26025b11d618f46c99b6ae63e6False0.8224013545347467data7.797131240569471IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rsrc0x6e0000x6460x800a34c3a758a658e59ef17a06708109275False0.35205078125data3.5393975639191746IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0x700000xc0x200f69c0c7d2758c8966d670faf236243bbFalse0.041015625data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_VERSION0x6e0a00x3bcdata0.4299163179916318
                                        RT_MANIFEST0x6e45c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                        Imports

                                        DLLImport
                                        mscoree.dll_CorExeMain

                                        Network Behavior

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Apr 24, 2024 07:47:02.108885050 CEST49730587192.168.2.491.235.128.141
                                        Apr 24, 2024 07:47:02.438361883 CEST5874973091.235.128.141192.168.2.4
                                        Apr 24, 2024 07:47:02.438487053 CEST49730587192.168.2.491.235.128.141
                                        Apr 24, 2024 07:47:04.058654070 CEST5874973091.235.128.141192.168.2.4
                                        Apr 24, 2024 07:47:04.060091972 CEST49730587192.168.2.491.235.128.141
                                        Apr 24, 2024 07:47:04.389550924 CEST5874973091.235.128.141192.168.2.4
                                        Apr 24, 2024 07:47:04.399223089 CEST49730587192.168.2.491.235.128.141
                                        Apr 24, 2024 07:47:04.731966019 CEST5874973091.235.128.141192.168.2.4
                                        Apr 24, 2024 07:47:04.741091967 CEST49730587192.168.2.491.235.128.141
                                        Apr 24, 2024 07:47:05.080543995 CEST5874973091.235.128.141192.168.2.4
                                        Apr 24, 2024 07:47:05.080626011 CEST5874973091.235.128.141192.168.2.4
                                        Apr 24, 2024 07:47:05.080667019 CEST5874973091.235.128.141192.168.2.4
                                        Apr 24, 2024 07:47:05.080681086 CEST49730587192.168.2.491.235.128.141
                                        Apr 24, 2024 07:47:05.080703020 CEST5874973091.235.128.141192.168.2.4
                                        Apr 24, 2024 07:47:05.080761909 CEST49730587192.168.2.491.235.128.141
                                        Apr 24, 2024 07:47:05.082927942 CEST5874973091.235.128.141192.168.2.4
                                        Apr 24, 2024 07:47:05.126471043 CEST49730587192.168.2.491.235.128.141
                                        Apr 24, 2024 07:47:05.456074953 CEST5874973091.235.128.141192.168.2.4
                                        Apr 24, 2024 07:47:05.472125053 CEST49730587192.168.2.491.235.128.141
                                        Apr 24, 2024 07:47:05.801254034 CEST5874973091.235.128.141192.168.2.4
                                        Apr 24, 2024 07:47:05.802314043 CEST49730587192.168.2.491.235.128.141
                                        Apr 24, 2024 07:47:06.132236004 CEST5874973091.235.128.141192.168.2.4
                                        Apr 24, 2024 07:47:06.132606983 CEST49730587192.168.2.491.235.128.141
                                        Apr 24, 2024 07:47:06.471066952 CEST5874973091.235.128.141192.168.2.4
                                        Apr 24, 2024 07:47:06.471611023 CEST49730587192.168.2.491.235.128.141
                                        Apr 24, 2024 07:47:06.800869942 CEST5874973091.235.128.141192.168.2.4
                                        Apr 24, 2024 07:47:06.801141024 CEST49730587192.168.2.491.235.128.141
                                        Apr 24, 2024 07:47:07.169787884 CEST5874973091.235.128.141192.168.2.4
                                        Apr 24, 2024 07:47:07.200803041 CEST5874973091.235.128.141192.168.2.4
                                        Apr 24, 2024 07:47:07.201061964 CEST49730587192.168.2.491.235.128.141
                                        Apr 24, 2024 07:47:07.530276060 CEST5874973091.235.128.141192.168.2.4
                                        Apr 24, 2024 07:47:07.530333042 CEST5874973091.235.128.141192.168.2.4
                                        Apr 24, 2024 07:47:07.530999899 CEST49730587192.168.2.491.235.128.141
                                        Apr 24, 2024 07:47:07.531105995 CEST49730587192.168.2.491.235.128.141
                                        Apr 24, 2024 07:47:07.531105995 CEST49730587192.168.2.491.235.128.141
                                        Apr 24, 2024 07:47:07.531105995 CEST49730587192.168.2.491.235.128.141
                                        Apr 24, 2024 07:47:07.860373974 CEST5874973091.235.128.141192.168.2.4
                                        Apr 24, 2024 07:47:07.860395908 CEST5874973091.235.128.141192.168.2.4
                                        Apr 24, 2024 07:47:07.860940933 CEST5874973091.235.128.141192.168.2.4
                                        Apr 24, 2024 07:47:07.876195908 CEST5874973091.235.128.141192.168.2.4
                                        Apr 24, 2024 07:47:07.927520037 CEST49730587192.168.2.491.235.128.141
                                        Apr 24, 2024 07:48:41.931154966 CEST49730587192.168.2.491.235.128.141
                                        Apr 24, 2024 07:48:42.261641979 CEST5874973091.235.128.141192.168.2.4
                                        Apr 24, 2024 07:48:42.269771099 CEST49730587192.168.2.491.235.128.141

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Apr 24, 2024 07:47:01.905728102 CEST6435153192.168.2.41.1.1.1
                                        Apr 24, 2024 07:47:02.083401918 CEST53643511.1.1.1192.168.2.4

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Apr 24, 2024 07:47:01.905728102 CEST192.168.2.41.1.1.10x2537Standard query (0)cp5ua.hyperhost.uaA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Apr 24, 2024 07:47:02.083401918 CEST1.1.1.1192.168.2.40x2537No error (0)cp5ua.hyperhost.ua91.235.128.141A (IP address)IN (0x0001)false

                                        SMTP Packets

                                        TimestampSource PortDest PortSource IPDest IPCommands
                                        Apr 24, 2024 07:47:04.058654070 CEST5874973091.235.128.141192.168.2.4220-cp5ua.hyperhost.ua ESMTP Exim 4.96.2 #2 Wed, 24 Apr 2024 08:47:01 +0300
                                        220-We do not authorize the use of this system to transport unsolicited,
                                        220 and/or bulk e-mail.
                                        Apr 24, 2024 07:47:04.060091972 CEST49730587192.168.2.491.235.128.141EHLO 347688
                                        Apr 24, 2024 07:47:04.389550924 CEST5874973091.235.128.141192.168.2.4250-cp5ua.hyperhost.ua Hello 347688 [154.16.105.36]
                                        250-SIZE 52428800
                                        250-8BITMIME
                                        250-PIPELINING
                                        250-PIPECONNECT
                                        250-STARTTLS
                                        250 HELP
                                        Apr 24, 2024 07:47:04.399223089 CEST49730587192.168.2.491.235.128.141STARTTLS
                                        Apr 24, 2024 07:47:04.731966019 CEST5874973091.235.128.141192.168.2.4220 TLS go ahead

                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:07:46:59
                                        Start date:24/04/2024
                                        Path:C:\Users\user\Desktop\yMHzNMo3xY.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\yMHzNMo3xY.exe"
                                        Imagebase:0x510000
                                        File size:437'760 bytes
                                        MD5 hash:097B18A8698466754BE20BA312481236
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: MALWARE_Win_DLInjector02, Description: Detects downloader injector, Source: 00000000.00000002.1654591793.0000000004F20000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1653947225.0000000003A5A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1653947225.0000000003A5A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:1
                                        Start time:07:46:59
                                        Start date:24/04/2024
                                        Path:C:\Users\user\Desktop\yMHzNMo3xY.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\yMHzNMo3xY.exe"
                                        Imagebase:0x6d0000
                                        File size:437'760 bytes
                                        MD5 hash:097B18A8698466754BE20BA312481236
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2887031548.00000000029EE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2887031548.0000000002A19000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2886135296.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2886135296.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2887031548.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2887031548.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:false

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:5.5%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:76%
                                          Total number of Nodes:25
                                          Total number of Limit Nodes:1
                                          execution_graph 11551 295a9a0 11552 295a9ba 11551->11552 11553 295aa0a 11552->11553 11555 295aa60 11552->11555 11557 295aa93 11555->11557 11575 2959b1c 11557->11575 11558 295ac6a 11559 2959b28 Wow64GetThreadContext 11558->11559 11560 295ad64 11558->11560 11559->11560 11561 2959b40 ReadProcessMemory 11560->11561 11562 295ae44 11561->11562 11573 295a790 VirtualAllocEx 11562->11573 11563 295af61 11572 295a638 WriteProcessMemory 11563->11572 11564 295b240 11570 295a638 WriteProcessMemory 11564->11570 11565 295b045 11565->11564 11574 295a638 WriteProcessMemory 11565->11574 11566 295b27e 11567 295b366 11566->11567 11569 295a510 Wow64SetThreadContext 11566->11569 11571 295a8b0 ResumeThread 11567->11571 11568 295b423 11568->11552 11569->11567 11570->11566 11571->11568 11572->11565 11573->11563 11574->11565 11576 295b590 CreateProcessW 11575->11576 11578 295b776 11576->11578

                                          Executed Functions

                                          Function 02959188 Relevance: 2.8, Strings: 2, Instructions: 260COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 2959188-2959195 1 2959197-2959199 0->1 2 295919e-29591ae 0->2 3 295943d-2959444 1->3 4 29591b5-29591c5 2->4 5 29591b0 2->5 7 2959424-2959432 4->7 8 29591cb-29591d9 4->8 5->3 11 2959445-29594be 7->11 13 2959434-2959438 call 2958910 7->13 8->11 12 29591df 8->12 12->11 14 29593f4-2959416 12->14 15 29593d7-29593f2 call 29503e0 12->15 16 2959296-29592b7 12->16 17 2959270-2959291 12->17 18 29591fd-295921e 12->18 19 29592bc-29592dd 12->19 20 295933c-2959379 12->20 21 295937e-29593a4 12->21 22 2959418-2959422 12->22 23 29591e6-29591f8 12->23 24 2959223-2959245 12->24 25 29592e2-295930a 12->25 26 295930f-2959337 12->26 27 29593a9-29593d5 12->27 28 295924a-295926b 12->28 13->3 14->3 15->3 16->3 17->3 18->3 19->3 20->3 21->3 22->3 23->3 24->3 25->3 26->3 27->3 28->3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1653736780.0000000002950000.00000040.00000800.00020000.00000000.sdmp, Offset: 02950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2950000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Xbq$$^q
                                          • API String ID: 0-1593437937
                                          • Opcode ID: 166ac877ca7746559644a3d09144094225b909e662a4e9dc7db5eee53fdb4616
                                          • Instruction ID: bec40c1971bedb1082e9b0e93b0b4f229d739fb7296167642544bebda3d8ae5a
                                          • Opcode Fuzzy Hash: 166ac877ca7746559644a3d09144094225b909e662a4e9dc7db5eee53fdb4616
                                          • Instruction Fuzzy Hash: 03815474B002289BEB18EF79985476E7BB7BFC4700F54852ED44AE7298CE349C428795
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0295AA60 Relevance: 1.9, Strings: 1, Instructions: 615COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 111 295aa60-295aa91 112 295aa93 111->112 113 295aa98-295ac1e 111->113 112->113 120 295ac45-295ac8a call 2959b1c 113->120 121 295ac20-295ac44 113->121 125 295acb3-295ad1d 120->125 126 295ac8c-295aca8 120->126 121->120 132 295ad24-295ad50 125->132 133 295ad1f 125->133 126->125 135 295adb1-295ade3 call 2959b34 132->135 136 295ad52-295ad5f call 2959b28 132->136 133->132 141 295ade5-295ae01 135->141 142 295ae0c 135->142 140 295ad64-295ad84 136->140 143 295ad86-295ada2 140->143 144 295adad-295adaf 140->144 141->142 145 295ae0d-295ae17 142->145 143->144 144->145 147 295ae1e-295ae64 call 2959b40 145->147 148 295ae19 145->148 154 295ae66-295ae82 147->154 155 295ae8d-295aea6 147->155 148->147 154->155 156 295aefe-295af76 call 295a790 155->156 157 295aea8-295aed4 call 2959b4c 155->157 168 295af78-295af89 156->168 169 295af8b-295af8d 156->169 163 295aed6-295aef2 157->163 164 295aefd 157->164 163->164 164->156 171 295af93-295afa7 168->171 169->171 172 295afe4-295affb 171->172 173 295afa9-295afe3 171->173 174 295b024-295b065 call 295a638 172->174 175 295affd-295b019 172->175 173->172 179 295b067-295b083 174->179 180 295b08e-295b0c3 174->180 175->174 179->180 184 295b21b-295b23a 180->184 185 295b240-295b29e call 295a638 184->185 186 295b0c8-295b14c 184->186 192 295b2c7-295b2fa 185->192 193 295b2a0-295b2bc 185->193 196 295b210-295b215 186->196 197 295b152-295b1c4 call 295a638 186->197 199 295b304-295b317 192->199 200 295b2fc-295b303 192->200 193->192 196->184 210 295b1c6-295b1e6 197->210 202 295b31e-295b349 199->202 203 295b319 199->203 200->199 207 295b3b3-295b3e5 call 2959b58 202->207 208 295b34b-295b364 call 295a510 202->208 203->202 217 295b3e7-295b403 207->217 218 295b40e 207->218 212 295b366-295b386 208->212 213 295b20f 210->213 214 295b1e8-295b204 210->214 215 295b3af-295b3b1 212->215 216 295b388-295b3a4 212->216 213->196 214->213 220 295b40f-295b421 call 295a8b0 215->220 216->215 217->218 218->220 224 295b423-295b443 220->224 226 295b445-295b461 224->226 227 295b46c-295b575 224->227 226->227
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1653736780.0000000002950000.00000040.00000800.00020000.00000000.sdmp, Offset: 02950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2950000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (
                                          • API String ID: 0-3887548279
                                          • Opcode ID: 3ecb6862a772a0949fa349e4868d358d8a76305ced0b36734922a2013155a51d
                                          • Instruction ID: e609be8ccd4d9aeab95c6f769df60eb7bd48f5de895af6419cb2ba70c9f07e1c
                                          • Opcode Fuzzy Hash: 3ecb6862a772a0949fa349e4868d358d8a76305ced0b36734922a2013155a51d
                                          • Instruction Fuzzy Hash: 7852D270E012288FDB68DF65C954BEDBBF2BF89304F1085EA9409AB295DB345E85CF41
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02959B1C Relevance: 1.7, APIs: 1, Instructions: 223processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 239 2959b1c-295b61b 241 295b632-295b640 239->241 242 295b61d-295b62f 239->242 243 295b657-295b693 241->243 244 295b642-295b654 241->244 242->241 245 295b695-295b6a4 243->245 246 295b6a7-295b774 CreateProcessW 243->246 244->243 245->246 250 295b776-295b77c 246->250 251 295b77d-295b83c 246->251 250->251 261 295b872-295b87d 251->261 262 295b83e-295b867 251->262 262->261
                                          APIs
                                          • CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0295B761
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1653736780.0000000002950000.00000040.00000800.00020000.00000000.sdmp, Offset: 02950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2950000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 4e869a688810b08e1a96bcfb903f144d9e5ecfb00e629b5dd430c3ace592635c
                                          • Instruction ID: b21e6bac02b97c9ecfd66d8145433a1e42130bb569e4b11f2f8d69478ff10ac3
                                          • Opcode Fuzzy Hash: 4e869a688810b08e1a96bcfb903f144d9e5ecfb00e629b5dd430c3ace592635c
                                          • Instruction Fuzzy Hash: BF81C074D0026DDFDB20CFA9C980BEDBBF5AB49304F1491AAE508B7260DB749A85CF54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0295A638 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 266 295a638-295a6a3 268 295a6a5-295a6b7 266->268 269 295a6ba-295a71b WriteProcessMemory 266->269 268->269 271 295a724-295a776 269->271 272 295a71d-295a723 269->272 272->271
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0295A70B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1653736780.0000000002950000.00000040.00000800.00020000.00000000.sdmp, Offset: 02950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2950000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 4a220cb0a4343a24f8edb89bba252431b28e8e5631c4556957c547245205a344
                                          • Instruction ID: 351e0d1eb9dbed33732ad8a8aad8df927656e4357de3e1f2061da4d4f2cdd3f1
                                          • Opcode Fuzzy Hash: 4a220cb0a4343a24f8edb89bba252431b28e8e5631c4556957c547245205a344
                                          • Instruction Fuzzy Hash: 29419AB5D012589FCF00CFA9D984ADEFBF1BB49314F10902AE818B7250D738AA45CF68
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02959B40 Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 277 2959b40-295ba7d ReadProcessMemory 279 295ba86-295bac4 277->279 280 295ba7f-295ba85 277->280 280->279
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0295BA6D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1653736780.0000000002950000.00000040.00000800.00020000.00000000.sdmp, Offset: 02950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2950000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: d55e0edf6f1a2fbc917774b845c53e293a51f09721f31d18fbb5c025c18df72a
                                          • Instruction ID: 41a7377a0f52c16841a7d0df21ccdcfb6a429151177c6f66e9a0334880c8858e
                                          • Opcode Fuzzy Hash: d55e0edf6f1a2fbc917774b845c53e293a51f09721f31d18fbb5c025c18df72a
                                          • Instruction Fuzzy Hash: 824166B9D042589FCF10CFAAD984ADEFBF5BB09314F10906AE814B7210D335A945CF64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0295A790 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 283 295a790-295a84a VirtualAllocEx 286 295a853-295a89d 283->286 287 295a84c-295a852 283->287 287->286
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0295A83A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1653736780.0000000002950000.00000040.00000800.00020000.00000000.sdmp, Offset: 02950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2950000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 0ffecc09a17de56f73d7d6e83c3eec1d7865c5a2ce51c8bdea0080fc7fa8b143
                                          • Instruction ID: 98c228011cbbc5b1e0699e7df8f91e8a0654a3eeebdb486d6a3d40de3aed1410
                                          • Opcode Fuzzy Hash: 0ffecc09a17de56f73d7d6e83c3eec1d7865c5a2ce51c8bdea0080fc7fa8b143
                                          • Instruction Fuzzy Hash: 793187B9D042589FCF10CFA9D980ADEFBB5BB49310F10942AE915B7210D735A946CF98
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0295A510 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 292 295a510-295a570 294 295a587-295a5cf Wow64SetThreadContext 292->294 295 295a572-295a584 292->295 297 295a5d1-295a5d7 294->297 298 295a5d8-295a624 294->298 295->294 297->298
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,?), ref: 0295A5BF
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1653736780.0000000002950000.00000040.00000800.00020000.00000000.sdmp, Offset: 02950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2950000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: ebd10963b94d282403f02be8ff1ae07d49f605322fa99ed3d24a2ef971cb99c4
                                          • Instruction ID: 6da0c3ff1fb3cf3b992b8ffc01aec1dd864d1e6ed3c20f1e3a30dc9e82c4afd7
                                          • Opcode Fuzzy Hash: ebd10963b94d282403f02be8ff1ae07d49f605322fa99ed3d24a2ef971cb99c4
                                          • Instruction Fuzzy Hash: 0631ACB5D012589FCB10CFA9D984AEEFFF5BB49314F24842AE414B7250D738A985CF54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02959B28 Relevance: 1.6, APIs: 1, Instructions: 91threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 303 2959b28-295b90c 305 295b923-295b96a Wow64GetThreadContext 303->305 306 295b90e-295b920 303->306 307 295b973-295b9ab 305->307 308 295b96c-295b972 305->308 306->305 308->307
                                          APIs
                                          • Wow64GetThreadContext.KERNEL32(?,?), ref: 0295B95A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1653736780.0000000002950000.00000040.00000800.00020000.00000000.sdmp, Offset: 02950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2950000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: 484119bcad4ca343b81bf2e2400b09e5e2495c99ac9e23032c97fc7c71261664
                                          • Instruction ID: 9ac69a91544a1d3a29b22694ae81cfd39f0ea1c6ebb82f9928ae97e6561a5662
                                          • Opcode Fuzzy Hash: 484119bcad4ca343b81bf2e2400b09e5e2495c99ac9e23032c97fc7c71261664
                                          • Instruction Fuzzy Hash: 7031BBB4D052589FCB10CFA9D584AEEFBF4BB09318F14902AE818B7210C378A945CF94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0295A8B0 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 311 295a8b0-295a93e ResumeThread 314 295a947-295a989 311->314 315 295a940-295a946 311->315 315->314
                                          APIs
                                          • ResumeThread.KERNELBASE(?), ref: 0295A92E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1653736780.0000000002950000.00000040.00000800.00020000.00000000.sdmp, Offset: 02950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2950000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: bfc90cf9e8d0e821c22b5ebe59f41d09c9ca8d6f362daa2235c91b6778b16a85
                                          • Instruction ID: b54cd466785582ceb48bd7ba20bf29a8daa31f8e70e1e52cee3175bdb441860e
                                          • Opcode Fuzzy Hash: bfc90cf9e8d0e821c22b5ebe59f41d09c9ca8d6f362daa2235c91b6778b16a85
                                          • Instruction Fuzzy Hash: 5C31ABB4D012689FCF14CFA9D584A9EFBB4AB49310F10942AE815B7210C735A941CF98
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CBD4CC Relevance: .1, Instructions: 75COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1653014517.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_cbd000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ba43c9e44ab29311b5730aff957092676f49afeffb4c607fbf046c9ca8ef0363
                                          • Instruction ID: c6f6dbc73fa6492b0740be8f990ac65b905d2623822a9715679bdd876bc7ca59
                                          • Opcode Fuzzy Hash: ba43c9e44ab29311b5730aff957092676f49afeffb4c607fbf046c9ca8ef0363
                                          • Instruction Fuzzy Hash: BA2176B1500200DFCB15EF14D9C0B67BF65FBA8328F30C569E80A0B256D336D94ACBA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CBD4C7 Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1653014517.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_cbd000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                          • Instruction ID: f9b7fdcb2edd2d44b7d65ac2f9dbc80e8ccc532d718208c9ea0bbf914c9a6a3e
                                          • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                          • Instruction Fuzzy Hash: 6F11E6B6504244CFCB16CF10D9C4B56BF72FBA4314F24C6A9DC0A0B256C33AD95ACBA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Execution Graph

                                          Execution Coverage:10.8%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:35
                                          Total number of Limit Nodes:7
                                          execution_graph 25723 4ec0848 25725 4ec084e 25723->25725 25724 4ec091b 25725->25724 25727 4ec137f 25725->25727 25728 4ec1378 25727->25728 25728->25727 25729 4ec1488 25728->25729 25731 4ec7090 25728->25731 25729->25725 25732 4ec709a 25731->25732 25733 4ec70b4 25732->25733 25737 5f8d5f8 25732->25737 25746 5f8d379 25732->25746 25750 5f8d3b8 25732->25750 25733->25728 25740 5f8d606 25737->25740 25741 5f8d3cd 25737->25741 25738 5f8d62e 25738->25733 25739 5f8d5e2 25739->25733 25740->25738 25754 5f8e198 25740->25754 25757 5f8e189 25740->25757 25741->25739 25743 5f8d5f8 GlobalMemoryStatusEx 25741->25743 25742 5f8d6eb 25742->25733 25743->25741 25747 5f8d38d 25746->25747 25748 5f8d5e2 25747->25748 25749 5f8d5f8 GlobalMemoryStatusEx 25747->25749 25748->25733 25749->25747 25752 5f8d3cd 25750->25752 25751 5f8d5e2 25751->25733 25752->25751 25753 5f8d5f8 GlobalMemoryStatusEx 25752->25753 25753->25752 25760 5f8e1c0 25754->25760 25755 5f8e1a6 25755->25742 25758 5f8e1a6 25757->25758 25759 5f8e1c0 GlobalMemoryStatusEx 25757->25759 25758->25742 25759->25758 25761 5f8e1dd 25760->25761 25762 5f8e205 25760->25762 25761->25755 25763 5f8e226 25762->25763 25764 5f8e2ee GlobalMemoryStatusEx 25762->25764 25763->25755 25765 5f8e31e 25764->25765 25765->25755

                                          Executed Functions

                                          Function 04EC9B28 Relevance: 2.8, Instructions: 2849COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5b1537667f9aa960e0ed479cffc32dcb292c939f01c3d5e1b4181c2788c31840
                                          • Instruction ID: 18ecf967694625a61306bb316f216df00acd5f85df304b55c5a4efdb2ade5e91
                                          • Opcode Fuzzy Hash: 5b1537667f9aa960e0ed479cffc32dcb292c939f01c3d5e1b4181c2788c31840
                                          • Instruction Fuzzy Hash: 5F63E731D10B1A8ADB11EF68C884699F7B1FF99300F15D79AE45877221EB70AAC5CF81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04EC3E88 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: \Vl
                                          • API String ID: 0-682378881
                                          • Opcode ID: f97fe8a8eeee528dc9cbbff0bacdd4870110eb25845411ee17aa4e9a3765f0ca
                                          • Instruction ID: eccf7d2bbdec90454a98dd816e1625748d6aeba400b9f7e3eb49bb49915f8f60
                                          • Opcode Fuzzy Hash: f97fe8a8eeee528dc9cbbff0bacdd4870110eb25845411ee17aa4e9a3765f0ca
                                          • Instruction Fuzzy Hash: A3918F70E00259DFDF14CFA8CA917DDBBF2AF48318F14952DE854A7294EB34A846CB81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04EC4AA0 Relevance: .3, Instructions: 266COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d1a79be8aa496fb55d3492aff3fc2a84ff4d979efd22fa4fc7a4ef33184b12a3
                                          • Instruction ID: 568f608f16ffd65a5f3077e5c9f6cf8f95ef23961eadecac7285b5a9d7672f4e
                                          • Opcode Fuzzy Hash: d1a79be8aa496fb55d3492aff3fc2a84ff4d979efd22fa4fc7a4ef33184b12a3
                                          • Instruction Fuzzy Hash: 51B16E70E00209DFDB10DFA9DAA17DDBBF2AF88318F14952DD415E7294EB74A846CB81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04EC480C Relevance: 2.7, Strings: 2, Instructions: 182COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2205 4ec480c-4ec48a4 2208 4ec48ee-4ec48f0 2205->2208 2209 4ec48a6-4ec48b1 2205->2209 2211 4ec48f2-4ec490a 2208->2211 2209->2208 2210 4ec48b3-4ec48bf 2209->2210 2212 4ec48c1-4ec48cb 2210->2212 2213 4ec48e2-4ec48ec 2210->2213 2218 4ec490c-4ec4917 2211->2218 2219 4ec4954-4ec4956 2211->2219 2214 4ec48cd 2212->2214 2215 4ec48cf-4ec48de 2212->2215 2213->2211 2214->2215 2215->2215 2217 4ec48e0 2215->2217 2217->2213 2218->2219 2220 4ec4919-4ec4925 2218->2220 2221 4ec4958-4ec496a 2219->2221 2222 4ec4948-4ec4952 2220->2222 2223 4ec4927-4ec4931 2220->2223 2228 4ec4971-4ec499d 2221->2228 2222->2221 2225 4ec4935-4ec4944 2223->2225 2226 4ec4933 2223->2226 2225->2225 2227 4ec4946 2225->2227 2226->2225 2227->2222 2229 4ec49a3-4ec49b1 2228->2229 2230 4ec49ba-4ec4a17 2229->2230 2231 4ec49b3-4ec49b9 2229->2231 2238 4ec4a19-4ec4a1d 2230->2238 2239 4ec4a27-4ec4a2b 2230->2239 2231->2230 2238->2239 2240 4ec4a1f-4ec4a22 call 4ec0ab8 2238->2240 2241 4ec4a2d-4ec4a31 2239->2241 2242 4ec4a3b-4ec4a3f 2239->2242 2240->2239 2241->2242 2244 4ec4a33-4ec4a36 call 4ec0ab8 2241->2244 2245 4ec4a4f-4ec4a53 2242->2245 2246 4ec4a41-4ec4a45 2242->2246 2244->2242 2247 4ec4a55-4ec4a59 2245->2247 2248 4ec4a63 2245->2248 2246->2245 2250 4ec4a47 2246->2250 2247->2248 2251 4ec4a5b 2247->2251 2252 4ec4a64 2248->2252 2250->2245 2251->2248 2252->2252
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: \Vl$\Vl
                                          • API String ID: 0-415357090
                                          • Opcode ID: 16a9ce3db8d648d2b08c7e676981249d3f48db7565cef651518058621bc988a9
                                          • Instruction ID: 8f00371a7bdfa4dd89884ef6b43b8502aa16b5a890d38543c5c900ad9236103d
                                          • Opcode Fuzzy Hash: 16a9ce3db8d648d2b08c7e676981249d3f48db7565cef651518058621bc988a9
                                          • Instruction Fuzzy Hash: 30717CB1E00259CFDB10CFA8C9917DDBBF1AF88314F149129E458A7294EB34A846CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04EC4818 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2253 4ec4818-4ec48a4 2256 4ec48ee-4ec48f0 2253->2256 2257 4ec48a6-4ec48b1 2253->2257 2259 4ec48f2-4ec490a 2256->2259 2257->2256 2258 4ec48b3-4ec48bf 2257->2258 2260 4ec48c1-4ec48cb 2258->2260 2261 4ec48e2-4ec48ec 2258->2261 2266 4ec490c-4ec4917 2259->2266 2267 4ec4954-4ec4956 2259->2267 2262 4ec48cd 2260->2262 2263 4ec48cf-4ec48de 2260->2263 2261->2259 2262->2263 2263->2263 2265 4ec48e0 2263->2265 2265->2261 2266->2267 2268 4ec4919-4ec4925 2266->2268 2269 4ec4958-4ec499d 2267->2269 2270 4ec4948-4ec4952 2268->2270 2271 4ec4927-4ec4931 2268->2271 2277 4ec49a3-4ec49b1 2269->2277 2270->2269 2273 4ec4935-4ec4944 2271->2273 2274 4ec4933 2271->2274 2273->2273 2275 4ec4946 2273->2275 2274->2273 2275->2270 2278 4ec49ba-4ec4a17 2277->2278 2279 4ec49b3-4ec49b9 2277->2279 2286 4ec4a19-4ec4a1d 2278->2286 2287 4ec4a27-4ec4a2b 2278->2287 2279->2278 2286->2287 2288 4ec4a1f-4ec4a22 call 4ec0ab8 2286->2288 2289 4ec4a2d-4ec4a31 2287->2289 2290 4ec4a3b-4ec4a3f 2287->2290 2288->2287 2289->2290 2292 4ec4a33-4ec4a36 call 4ec0ab8 2289->2292 2293 4ec4a4f-4ec4a53 2290->2293 2294 4ec4a41-4ec4a45 2290->2294 2292->2290 2295 4ec4a55-4ec4a59 2293->2295 2296 4ec4a63 2293->2296 2294->2293 2298 4ec4a47 2294->2298 2295->2296 2299 4ec4a5b 2295->2299 2300 4ec4a64 2296->2300 2298->2293 2299->2296 2300->2300
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: \Vl$\Vl
                                          • API String ID: 0-415357090
                                          • Opcode ID: 45f941d22b2dba9cfc5b27630b32af04a67ec82d0628f210c7e196c4f479073f
                                          • Instruction ID: 885f4a59c70dccf56d4f68d4aa2c39c5e478632c0fdd677aa0cae8077b109d84
                                          • Opcode Fuzzy Hash: 45f941d22b2dba9cfc5b27630b32af04a67ec82d0628f210c7e196c4f479073f
                                          • Instruction Fuzzy Hash: 977180B1E00259CFDF10CFA9C9907DDBBF2AF88314F14912DE454A7294EB34A846CB81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04EC6EDA Relevance: 2.6, Strings: 2, Instructions: 148COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2368 4ec6eda-4ec6f42 call 4ec6c40 2377 4ec6f5e-4ec6f8c 2368->2377 2378 4ec6f44-4ec6f5d call 4ec638c 2368->2378 2382 4ec6f8e-4ec6f91 2377->2382 2383 4ec6fcd-4ec6fd0 2382->2383 2384 4ec6f93-4ec6fc8 2382->2384 2386 4ec6fe0-4ec6fe3 2383->2386 2387 4ec6fd2 call 4ec7908 2383->2387 2384->2383 2388 4ec6fe5-4ec6fec 2386->2388 2389 4ec6ff7-4ec6ffa 2386->2389 2390 4ec6fd8-4ec6fdb 2387->2390 2391 4ec70eb-4ec70f1 2388->2391 2392 4ec6ff2 2388->2392 2393 4ec6ffc-4ec7010 2389->2393 2394 4ec702d-4ec702f 2389->2394 2390->2386 2392->2389 2399 4ec7016 2393->2399 2400 4ec7012-4ec7014 2393->2400 2395 4ec7036-4ec7039 2394->2395 2396 4ec7031 2394->2396 2395->2382 2397 4ec703f-4ec704e 2395->2397 2396->2395 2403 4ec7078-4ec708e 2397->2403 2404 4ec7050-4ec7053 2397->2404 2401 4ec7019-4ec7028 2399->2401 2400->2401 2401->2394 2403->2391 2407 4ec705b-4ec7076 2404->2407 2407->2403 2407->2404
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LR^q$LR^q
                                          • API String ID: 0-4089051495
                                          • Opcode ID: b595fad714602f4c6a6546803e0e0a76f5c79d64d5819a26b038a9e426abe8b1
                                          • Instruction ID: f1a227a64b82430d93542b938c8efc96133df620a002f8a74c637d954cf10d91
                                          • Opcode Fuzzy Hash: b595fad714602f4c6a6546803e0e0a76f5c79d64d5819a26b038a9e426abe8b1
                                          • Instruction Fuzzy Hash: 98419E30A102159FEB15DFB8C5557AEB7B2EF89308F10842AE405EB290EB71A843CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05F8E1C0 Relevance: 1.6, APIs: 1, Instructions: 125COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2592 5f8e1c0-5f8e1db 2593 5f8e1dd-5f8e204 call 5f8d36c 2592->2593 2594 5f8e205-5f8e224 call 5f8d378 2592->2594 2600 5f8e22a-5f8e289 2594->2600 2601 5f8e226-5f8e229 2594->2601 2607 5f8e28b-5f8e28e 2600->2607 2608 5f8e28f-5f8e31c GlobalMemoryStatusEx 2600->2608 2611 5f8e31e-5f8e324 2608->2611 2612 5f8e325-5f8e34d 2608->2612 2611->2612
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2889720915.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_5f80000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bded14c3b2b850aa1d4a509169d4beb67d5ef55625f1277e383d2c76d67dcb05
                                          • Instruction ID: 4fe914ac03f3414bea1191347e5af3b450b08aeb47f8d4ab12d41523c37e26e3
                                          • Opcode Fuzzy Hash: bded14c3b2b850aa1d4a509169d4beb67d5ef55625f1277e383d2c76d67dcb05
                                          • Instruction Fuzzy Hash: 42411572E083958FCB04DFB9D8142ADBFB5BF89210F1985AAD444E7251EB789844CBD1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05F8E2A8 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                          Download Yara Rule
                                          APIs
                                          • GlobalMemoryStatusEx.KERNELBASE ref: 05F8E30F
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2889720915.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_5f80000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID: GlobalMemoryStatus
                                          • String ID:
                                          • API String ID: 1890195054-0
                                          • Opcode ID: 61f3bb3a299b4be577168745d46c403989832bb774c0c65a891997e2a34c1814
                                          • Instruction ID: 252da45886d9502662b8067519c81572b033baf110bd83109bf1580f0ce179c6
                                          • Opcode Fuzzy Hash: 61f3bb3a299b4be577168745d46c403989832bb774c0c65a891997e2a34c1814
                                          • Instruction Fuzzy Hash: 3711F3B1C006599BCB10DF9AC544BDEFBF4FF48320F14816AD918A7250D378A944CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04EC3E7C Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: \Vl
                                          • API String ID: 0-682378881
                                          • Opcode ID: 614fe52bc21145a7fda5c7f61b2c0b700371a43729a64d715af05e56ba14e6ea
                                          • Instruction ID: decab41d28d558d00fffc99390d05657976cede1cf238385664fd0fd28b23568
                                          • Opcode Fuzzy Hash: 614fe52bc21145a7fda5c7f61b2c0b700371a43729a64d715af05e56ba14e6ea
                                          • Instruction Fuzzy Hash: 68917E70E00259DFDF10CFA8CA917DDBBF1AF48318F14952DE854A7294EB74A846CB81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04ECF425 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: PH^q
                                          • API String ID: 0-2549759414
                                          • Opcode ID: 8b4023a5142d3be4622ca837010460ac891761eab515407aa95aef44cce6e529
                                          • Instruction ID: 70c7eef260283c0c25de81296b4e7130a4aa5da7d40ac6cd0df9044b4d3891b8
                                          • Opcode Fuzzy Hash: 8b4023a5142d3be4622ca837010460ac891761eab515407aa95aef44cce6e529
                                          • Instruction Fuzzy Hash: 1A31CC30B002018FCB199F7486542AE7BA3AB88644F20553DD006DB399EE39EC87CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04EC6F78 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LR^q
                                          • API String ID: 0-2625958711
                                          • Opcode ID: 88ac9ec26a5fab50f2b756f934fa70592662f10a78cfe9a2743251e8b6691298
                                          • Instruction ID: 7526bdb0ca7157215d7ed0071e22c0e0a1bd92953259ed28212528b36a74d37f
                                          • Opcode Fuzzy Hash: 88ac9ec26a5fab50f2b756f934fa70592662f10a78cfe9a2743251e8b6691298
                                          • Instruction Fuzzy Hash: 91316D31E1020A9BEB14CFA9D54179EB7B2FF85309F108529E905FB240EB71A847CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04EC6BA0 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LR^q
                                          • API String ID: 0-2625958711
                                          • Opcode ID: 69115a6e7f36fc965c29eeac9c626b7313c735fcd680b24c301cac29e89bd4d7
                                          • Instruction ID: cea26bc0c1d007a2857a124a166b66e7f21bac88a2774674935bd55e550fe006
                                          • Opcode Fuzzy Hash: 69115a6e7f36fc965c29eeac9c626b7313c735fcd680b24c301cac29e89bd4d7
                                          • Instruction Fuzzy Hash: 2F21F0307042015FD709AB7CA460AAF7BB6EF8A708B0084AED155CB395DA34DC4787D2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04EC7908 Relevance: .6, Instructions: 557COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6d6150788f5e8760de5b9299613ccf1c2a68a0287bb75aabc76a62791d42c943
                                          • Instruction ID: 949a9398190f9222caa24bdcdc59abf2ea9d8706a943703e35462dc16cb5ae8e
                                          • Opcode Fuzzy Hash: 6d6150788f5e8760de5b9299613ccf1c2a68a0287bb75aabc76a62791d42c943
                                          • Instruction Fuzzy Hash: F3128034B506069FDB19AB38E69462D77A3FB89349B504A3DD005CB364CF75EC4B8BA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04EC96E0 Relevance: .4, Instructions: 356COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b6275718d0ef617f93d2fa2af6f2eb56577275fddffe385f65c5d7d087177825
                                          • Instruction ID: 1d4ba303beb98b2cca532b5d10c66a5edb0408d8a0d73e0105f38835c5e98aa2
                                          • Opcode Fuzzy Hash: b6275718d0ef617f93d2fa2af6f2eb56577275fddffe385f65c5d7d087177825
                                          • Instruction Fuzzy Hash: 29C1D6B5B002058FDB14DF68D98079EBBB6FF88314F10856AE509DB396D734E846CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04EC9364 Relevance: .3, Instructions: 328COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ab44fe2fda995667b44ff3f1476d3c3208c195c9d2ddc4a89b2292450ba99dcd
                                          • Instruction ID: fbe18dd0f599c987f7117b4bed8b3c96cdcb6249b2ede9297b9e25f1321f22f6
                                          • Opcode Fuzzy Hash: ab44fe2fda995667b44ff3f1476d3c3208c195c9d2ddc4a89b2292450ba99dcd
                                          • Instruction Fuzzy Hash: A8C16175B002048FDB14DFA8D694AADBBB2EF88314F148569E406DB3A5DB35EC43CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04EC4A94 Relevance: .3, Instructions: 263COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6d822e13ec9248a1ec8e8db992223ca3ffd3641b41cace96de5244b72ea75ba8
                                          • Instruction ID: e41d5e7b7d906337b0c46c2233e73ed766aa4591e7a656a1172baae18b57002a
                                          • Opcode Fuzzy Hash: 6d822e13ec9248a1ec8e8db992223ca3ffd3641b41cace96de5244b72ea75ba8
                                          • Instruction Fuzzy Hash: 3BA17F70E00209DFDB10DFA8DAA17DDBBF2AF48318F14952DD815A7294EB74A846CB81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04EC6CDC Relevance: .1, Instructions: 135COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dcf93a7e5782ec0428478f735af5dfacd355becb304bd37a553c57539a7119da
                                          • Instruction ID: e64dbd65c8824dedc5e7b23494803973d76d01870abe035b89e4fd8aa9ce5822
                                          • Opcode Fuzzy Hash: dcf93a7e5782ec0428478f735af5dfacd355becb304bd37a553c57539a7119da
                                          • Instruction Fuzzy Hash: 6B510370D00218CFDB18DFA9C994BDEBBB1BF48314F14812EE819AB351D774A946CB95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04EC6CE8 Relevance: .1, Instructions: 132COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6ba4f39cd1d645a5bfa16f584157059ae5e468babe5d0506813e42f2505b6aef
                                          • Instruction ID: 48db2c91fe120d36b7134cd4a3227e9a307e5d8b594e2a9fc48c216ce161d22c
                                          • Opcode Fuzzy Hash: 6ba4f39cd1d645a5bfa16f584157059ae5e468babe5d0506813e42f2505b6aef
                                          • Instruction Fuzzy Hash: FE510270D002188FDB18DFA9C984B9EBBB1BF48314F14912EE819AB351DB74A946CB95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04EC1128 Relevance: .1, Instructions: 124COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0eda1e921d7dc045f50293624fbf52ec6e5aa133176c9ffabab67d47806fbef8
                                          • Instruction ID: a9f6c22feb6618440291e8188bc503d47ef850ce7bf91659860b74abed16c66b
                                          • Opcode Fuzzy Hash: 0eda1e921d7dc045f50293624fbf52ec6e5aa133176c9ffabab67d47806fbef8
                                          • Instruction Fuzzy Hash: B551E7312099418FCB1AEB6CF9D19447BB1EF96B05300AB79D0554FB3EEB606989CBD0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04EC1138 Relevance: .1, Instructions: 112COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2e9a83e8a57efaaab0188bbc9e27d9a0900c2a8e74ce8596c4a2da277421b0ee
                                          • Instruction ID: ff0505524b797e036482ffc440f61ac66b495661f88dd961402e79c560a5add7
                                          • Opcode Fuzzy Hash: 2e9a83e8a57efaaab0188bbc9e27d9a0900c2a8e74ce8596c4a2da277421b0ee
                                          • Instruction Fuzzy Hash: 1051D7302199418FCB1AEB6CF9D09457BB1EF96B05300AB78D0454F73EEB606989CBD0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04ECF2E8 Relevance: .1, Instructions: 99COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 193681ffd23d04d81e62b32ac036f1372c60534ddf8164070a9381f92b90765b
                                          • Instruction ID: aa12d779ec7c8798f8e104ded35e4d51773018e73ba623cbd4f272a9f204bfac
                                          • Opcode Fuzzy Hash: 193681ffd23d04d81e62b32ac036f1372c60534ddf8164070a9381f92b90765b
                                          • Instruction Fuzzy Hash: B5315D34E046099BDB19DF69D5946AEBBB2FF89304F10C529E806E7390DB70AC47CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04EC26E5 Relevance: .1, Instructions: 96COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 23b559cd4bb0c9ac1be4e8017d992881b598facba31b965830c31756c613a5a3
                                          • Instruction ID: 5262501acb0397c9d74ae304cbadd0acb6458a4dd1ee46ff5a26dd79b6cc5f2b
                                          • Opcode Fuzzy Hash: 23b559cd4bb0c9ac1be4e8017d992881b598facba31b965830c31756c613a5a3
                                          • Instruction Fuzzy Hash: 2741F0B1D002499FDB10DFA9C984ADEBFB5FF48314F108429E909AB254DB75A946CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04EC50A1 Relevance: .1, Instructions: 93COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 937d9d814ca327d600c98daeb327602e8658b71a9d815052766bfdda8bd212d0
                                          • Instruction ID: b0872331da1968826bed53547e7a5a8fd46673b40ac81f1ddaacf52f7045798a
                                          • Opcode Fuzzy Hash: 937d9d814ca327d600c98daeb327602e8658b71a9d815052766bfdda8bd212d0
                                          • Instruction Fuzzy Hash: 1D316E34A00625DFDB18EF24C65569D73B2AF49648F10056CD806AB394EF36FD46CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04ECF2F8 Relevance: .1, Instructions: 91COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 33abe205ddbea6c2d10345bc113268632c94625db6798d0a06506f393e6e3afd
                                          • Instruction ID: 3d3f663b2c8a5db23a0425c481fa675e8eb2b54bc6f67ddcc5e5143e4c7dce17
                                          • Opcode Fuzzy Hash: 33abe205ddbea6c2d10345bc113268632c94625db6798d0a06506f393e6e3afd
                                          • Instruction Fuzzy Hash: B2315C34E106099BDB19DF69D5946AEB7B3FF89304F14C529E806EB390DB70AC46CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04EC26F0 Relevance: .1, Instructions: 90COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2c7ec016e86839b61c3895afa2c0f17982acec25a1787e29e41046e31e439528
                                          • Instruction ID: 7a9a3c33dc208e40717889612d296b93ff59371d1dc853e938fdbd46c1714073
                                          • Opcode Fuzzy Hash: 2c7ec016e86839b61c3895afa2c0f17982acec25a1787e29e41046e31e439528
                                          • Instruction Fuzzy Hash: 1841CEB1D002499FDB10DFA9C984ADEBFB5FF48314F108429E819AB254DB75A946CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04EC50B0 Relevance: .1, Instructions: 89COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b603fa016739f3d79880d8a3ffb1471496bd65f73a1b19ce3b607319e99eedc8
                                          • Instruction ID: 514b1203cf2938ac4c7a259b5c18bd445040223478b310291092b4dfc232c41b
                                          • Opcode Fuzzy Hash: b603fa016739f3d79880d8a3ffb1471496bd65f73a1b19ce3b607319e99eedc8
                                          • Instruction Fuzzy Hash: EF316C34700625DFDB18EB74C6556AE73B2AF49648F20056CD806AB3A4EF36FC42CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04EC924F Relevance: .1, Instructions: 86COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f7d4e31692e30fa4dbe93e3489ea538cf1b94fd32c91f02596d20f773b73179c
                                          • Instruction ID: 83ce27db64549ed3e459f0290d41a17a0f1d1fc574ad7698d9c374eedff356d8
                                          • Opcode Fuzzy Hash: f7d4e31692e30fa4dbe93e3489ea538cf1b94fd32c91f02596d20f773b73179c
                                          • Instruction Fuzzy Hash: CE318E71E002099BDB09DFA5D5906DEB7B2FF89304F14D619E809AB351DB70A847CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04EC9150 Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ccc91c68d307ceb1f6d85cbf131b22ab6616bd2ff8092a251445af359b25950e
                                          • Instruction ID: 83262ab0415452b76988baf4c83b0e7d939d5c25a02a6de2a69d389d611a2891
                                          • Opcode Fuzzy Hash: ccc91c68d307ceb1f6d85cbf131b22ab6616bd2ff8092a251445af359b25950e
                                          • Instruction Fuzzy Hash: DD21A475E00219DBDB08CFA4D5956DEF7B2EF89304F10962AE815BB341EB70A947CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04EC9260 Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d62afc801f9ef6397dd48d85092f9765fd39c1451884f8c38ae943b44596e0ef
                                          • Instruction ID: 2672a4403f78dd171ddc4c1ddf7e670814992b2f78474b281fd4d74c2f317e49
                                          • Opcode Fuzzy Hash: d62afc801f9ef6397dd48d85092f9765fd39c1451884f8c38ae943b44596e0ef
                                          • Instruction Fuzzy Hash: A4218071E0020A9BDB09CFA9D58469EF7B2FF89304F14D619E805EB351DB70A847CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04EC16A8 Relevance: .1, Instructions: 77COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c1b31ad256bded4dbc710839dd8eee3b7bd664c61f25d3518d7401ac700941ff
                                          • Instruction ID: 69aa3a5c65e3f34d9240bc3136d32a99f26fcbd80ab5f99a40cfa234db3bf5be
                                          • Opcode Fuzzy Hash: c1b31ad256bded4dbc710839dd8eee3b7bd664c61f25d3518d7401ac700941ff
                                          • Instruction Fuzzy Hash: 382186386445004FDF12AF38E9C4759B755EF46758F106A29E009CB25AEB28EC478FC1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04EC137F Relevance: .1, Instructions: 76COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0d75dbf492e31579a3d36849f6f34761d9c51f509796a2e3d2b169face319c6e
                                          • Instruction ID: 3000b95716b6508c1d4cede6fb9e3f84d73685cb1c068bda387065066acb0e89
                                          • Opcode Fuzzy Hash: 0d75dbf492e31579a3d36849f6f34761d9c51f509796a2e3d2b169face319c6e
                                          • Instruction Fuzzy Hash: D421A7706003044FEB317F28E684739B792E70635DF01256DE446C7796D629EC878B82
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04EC4F90 Relevance: .1, Instructions: 74COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fed4165410d177f2ee6ced8f7d05c750fb8f3724f82df65ef473074440f549c7
                                          • Instruction ID: de318c1a8ede359e04b32ecc278d2c74eab76690b2eae897ae5ae4bb4787bfbc
                                          • Opcode Fuzzy Hash: fed4165410d177f2ee6ced8f7d05c750fb8f3724f82df65ef473074440f549c7
                                          • Instruction Fuzzy Hash: A6212834600214CFDB18EF78C659AAE7BF1EF49644F100468E906EB365EB31ED428B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 011BD030 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2886828084.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_11bd000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fa380b11dce30dee2815fcb97bc7b39d17e4c2f5044935841da8fc53cd4931a5
                                          • Instruction ID: e85802833edfa3818703a5b3080d6593cd78e90685ce25f8c3a47a3598eb4fde
                                          • Opcode Fuzzy Hash: fa380b11dce30dee2815fcb97bc7b39d17e4c2f5044935841da8fc53cd4931a5
                                          • Instruction Fuzzy Hash: DF21F271604204DFDF1DDF58E9C0B66BBA5EB84318F24C56DD9094B256C33AD446CB62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04EC1881 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 63f373f19feec50cc8ac50ead92417e1e8ef9e38324bd2f512b44405c1537297
                                          • Instruction ID: c4e60bf41c941b5dfb7f48c602fbc6d674f76a766678e3139f11ad117f1e45a1
                                          • Opcode Fuzzy Hash: 63f373f19feec50cc8ac50ead92417e1e8ef9e38324bd2f512b44405c1537297
                                          • Instruction Fuzzy Hash: DB217A31B04215CFDB14EB64C6556AEB7B2AF4A248F20046CD506EB365DB32AD42CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04EC9160 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 18b235411a11a046909ece6d68d1e3746007ab403be567edc6ccffa58ffcb86c
                                          • Instruction ID: 95d94326265d00a1ec2528a6153435051ce3245b78ea86bda466f6e21850c75b
                                          • Opcode Fuzzy Hash: 18b235411a11a046909ece6d68d1e3746007ab403be567edc6ccffa58ffcb86c
                                          • Instruction Fuzzy Hash: BA219271E0020ADBDF09CFA5D9449DEF7B2AF89314F10962AE815F7341DB70A846CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04EC1890 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8f9ebc84456f86f3246a72c9c205528ef72d89ca24121b15cc66b3f623bdcef3
                                          • Instruction ID: c554dc47659fb7038f4988b03a9519290cdbb033763dffe6d7892f2bf18d71de
                                          • Opcode Fuzzy Hash: 8f9ebc84456f86f3246a72c9c205528ef72d89ca24121b15cc66b3f623bdcef3
                                          • Instruction Fuzzy Hash: 9F213E35B04215CFDB14EB64C6156AEB7F1AF89244F20046CD406EB355DB35ED42CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04EC16B8 Relevance: .1, Instructions: 69COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 90585a4dc3e6b0a3bbfd7d9681bf333099a93017af3e3004f1c50e3767e61766
                                          • Instruction ID: a88b69f73f76efe718a06d42b66de91c89e43be8749f3e4df41b19843b96569c
                                          • Opcode Fuzzy Hash: 90585a4dc3e6b0a3bbfd7d9681bf333099a93017af3e3004f1c50e3767e61766
                                          • Instruction Fuzzy Hash: A22154382445054FDB12EF38E9C4759B756EF46758F106A29E00ACB25AEB38EC868FD1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04EC4FA0 Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2fb8d2e2a7c4e381127dbd77ee731a04650107cb3c6082424aed890e4b249cbb
                                          • Instruction ID: 0bd685bfc318c5ddd68046a5c1d17b9532c731c4592be2256d0a94664cddc448
                                          • Opcode Fuzzy Hash: 2fb8d2e2a7c4e381127dbd77ee731a04650107cb3c6082424aed890e4b249cbb
                                          • Instruction Fuzzy Hash: 12211634700214CFDB18EF78C659AAE7BF1AF4D644F101468E406EB3A5EB32AD41CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04EC1492 Relevance: .1, Instructions: 66COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 97f5ef932c23d52609d604492e04c9ba0f45baf9a3abbf5455094208ac89dc88
                                          • Instruction ID: 982dfddca692c45d7869b3c777b06f5753048ae8a346932f50fd38f90f417a3f
                                          • Opcode Fuzzy Hash: 97f5ef932c23d52609d604492e04c9ba0f45baf9a3abbf5455094208ac89dc88
                                          • Instruction Fuzzy Hash: D6118271E013548FDF219FB896501EDBBB4FB45119B14507ED805E7202E635E843CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04EC0838 Relevance: .1, Instructions: 65COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a661a39bfe3978571f62259883959704ab81e6f61f4a6bef3224c6d29fa94217
                                          • Instruction ID: e4ca9edb3e6ac3d222526e9a757562c52f1ff0248a083e6a9f4371e68d0c9ec3
                                          • Opcode Fuzzy Hash: a661a39bfe3978571f62259883959704ab81e6f61f4a6bef3224c6d29fa94217
                                          • Instruction Fuzzy Hash: DC11B232B00304CBEF605BF8D65036973A5EB46318F10993ED056DB241DA24E8874BD1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04EC17CA Relevance: .1, Instructions: 64COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3647f46b4223752be8967e0ee99b99e4ae925e73ca3a2564ebced66c83a6c998
                                          • Instruction ID: 65c27a6430e0760a1221de4c59f351a3711912d545d5d1fdf3ab71c20e2daa68
                                          • Opcode Fuzzy Hash: 3647f46b4223752be8967e0ee99b99e4ae925e73ca3a2564ebced66c83a6c998
                                          • Instruction Fuzzy Hash: B2113A76F002059FCF11AF78A94825EBBE2EF49A94F004529E90AD3341EB34DC07CB81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04EC0848 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b1d18e771106e58040dbdb4cc2a21dd99909f856ad358445b098627243d40b39
                                          • Instruction ID: ef4f4b20df1dcc23fa98f7995b06b46115e2c14a46bed7227f9447edc438be87
                                          • Opcode Fuzzy Hash: b1d18e771106e58040dbdb4cc2a21dd99909f856ad358445b098627243d40b39
                                          • Instruction Fuzzy Hash: 0611BF32B10204CFEF64ABF8D64436E72A6EB85318F10993DE006DF354DA20E8868BD1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 011BD02B Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2886828084.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_11bd000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                          • Instruction ID: 6fb3095d13b0faf7fa9b5cb82e0375ace36aab05c9da3e76fd4661fdd87da9ca
                                          • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                          • Instruction Fuzzy Hash: 0A11BB75504280CFDB1ACF58E5C4B55BFA1FB84318F28C6AADC494B656C33AD44ACB62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04EC14A0 Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1a0fd1db1e09a43f8db12121b8b4e9362a25665b138dfaf0bb23a6fe5acba99d
                                          • Instruction ID: 1e7a677c55c990f6a9359b2440c8cf2f8f415432e25a55247fada7dbba25a7fa
                                          • Opcode Fuzzy Hash: 1a0fd1db1e09a43f8db12121b8b4e9362a25665b138dfaf0bb23a6fe5acba99d
                                          • Instruction Fuzzy Hash: DA012D71E002549FDF21EFB886505ADBBE5AB48219B14647DD805E7301E735E9828BA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04EC80F1 Relevance: .0, Instructions: 38COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1113a70a697123b85c1c61ecaf134332f6c2fd358f8f03046dfffaf42f5ffaa2
                                          • Instruction ID: a625a6cae4a870aad946a1ec8455b22dd7840ccf267dba659db80975e9b985ef
                                          • Opcode Fuzzy Hash: 1113a70a697123b85c1c61ecaf134332f6c2fd358f8f03046dfffaf42f5ffaa2
                                          • Instruction Fuzzy Hash: 8401F2785442059FCB06EBA8FA81ADDBB71EF4134CB1043A8C4085F2AADB316A4787C1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04EC152C Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ad0e0b4a2d2add2b6e28f2a78c857d403040e414377221a2ef62c7cd40e15a05
                                          • Instruction ID: ecb571713516bf0605568befaab5c3afe60c3186ee8078dffcc2b265098aaf49
                                          • Opcode Fuzzy Hash: ad0e0b4a2d2add2b6e28f2a78c857d403040e414377221a2ef62c7cd40e15a05
                                          • Instruction Fuzzy Hash: 64F0F673E04150CFEB228BE485A01ACFBA0EF5522971960DED806DB712D321F943CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04EC7090 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: eb0929ba98a477d2741ba1a5c0a5d218ac16f55146e0971262aaee0e36eed47f
                                          • Instruction ID: e92be8a1f93b0d64933414154652e8ef749ad7e208988ba18bc979c9c7607652
                                          • Opcode Fuzzy Hash: eb0929ba98a477d2741ba1a5c0a5d218ac16f55146e0971262aaee0e36eed47f
                                          • Instruction Fuzzy Hash: 92F0C435B00208CFD754EB74D598A6D77B2EF8966AF1040A8E5069B3A0CB39AD42CF41
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04ECD226 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2eb8f71c7bfe9c7d2dcfadb00ff3f11ec5e969b90396109cbacb6ac85b94561e
                                          • Instruction ID: 138352242e994ea1fc1448725c1cc645bcfafe6df8e41b3a02c5262d12cdd35a
                                          • Opcode Fuzzy Hash: 2eb8f71c7bfe9c7d2dcfadb00ff3f11ec5e969b90396109cbacb6ac85b94561e
                                          • Instruction Fuzzy Hash: 53F0E2B5500045AFEB04CBA8DC84EFBBBACEBC5325B188196F048CB017C6389857C7A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04EC8100 Relevance: .0, Instructions: 33COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.2888717413.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_4ec0000_yMHzNMo3xY.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 68d5d074ca2a612b78615fef673b610f2fd516adbf00b14a11f351ff5059e422
                                          • Instruction ID: b8bf9aff73ee659525eac23cb70dc894848cee06a2a33ea9024b46604ac232a4
                                          • Opcode Fuzzy Hash: 68d5d074ca2a612b78615fef673b610f2fd516adbf00b14a11f351ff5059e422
                                          • Instruction Fuzzy Hash: 14F04438950109EFCB45FBA8FA81A9DBBB5EF40308F505678C0089B258DF316E499BC1
                                          Uniqueness

                                          Uniqueness Score: -1.00%